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IRANIAN CYBER THREAT TO THE U.S. 
HOMELAND 


Thursday, April 26, 2012 

U.S. House of Representatives, 

Committee on Homeland Security, 

Subcommittee on Counterterrorism and 

Intelligence, and 

Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, 

Washington, DC. 

The subcommittees met, pursuant to call, at 10:06 a.m., in Room 
311, Cannon House Office Building, Hon. Patrick Meehan [Chair- 
man of the Subcommittee on Counterterrorism and Intelligence] 
presiding. 

Present from the Subcommittee on Counterterrorism and Intel- 
ligence: Representatives Meehan, Cravaack, and Hahn. 

Present from the Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies: Representatives Lungren, 
Higgins, Clarke, Richardson, and Richmond. 

Also present: Representative Green. 

Mr. Meehan. Good morning, the Committee on Homeland Secu- 
rity Subcommittees on Counterterrorism and Intelligence and Cy- 
bersecurity, Infrastructure Protection, and Security Technologies — 
this is a joint committee hearing — will come to order. Subcommit- 
tees are meeting today to hear the testimony regarding the threat 
of a cyber attack to the United States homeland from the Islamic 
Republic of Iran. I will now recognize myself for an opening state- 
ment. 

I would like to begin today by thanking Chairman Lungren and 
Ranking Member Clarke and all of the Members of the Sub- 
committee on Cybersecurity, Infrastructure Protection, and Secu- 
rity Technologies for joining us here today to examine the threat 
posed by Iran in the cyber arena. The combination of our expertise 
on counterterrorism and intelligence, and your expertise on cyber- 
security will inform and enhance our discussion. I look forward to 
hearing from you, and our panel. 

I believe the joint hearing represents the attitude we must have 
when confronted with emerging threats that may not be adequately 
understood. In my view, the adaptability, flexibility, and willing- 
ness to erase institutional barriers called for in the 9/11 Commis- 
sion Report is on display here, with each of us bringing our own 
expertise to study a threat which crosses borders and cannot easily 
be put into a box. While Chairman Lungren and his colleagues on 
the CIPST Subcommittee have studied the ins and outs of pro- 
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tecting our Nation’s critical infrastructure from cyber attack, the 
membership of the CT&I Subcommittee have spent a lot of time ex- 
amining the threat posed by Iran in the world’s largest state spon- 
sor of terrorism, and its proxies, of course, principally including 
Hezbollah. 

For the Subcommittee on Counterterrorism and Intelligence, this 
hearing is a continuation of our previous work examining the 
threat from Tehran. Last year our subcommittee examined the 
Hezbollah presence in Latin America that detailed the recently ex- 
posed Iranian government plot to conduct a brazen attack here in 
Washington, DC. I have also recently returned from the region, 
where I met with defense and intelligence officials and government 
leaders in Israel and Turkey and Jordan. After in-depth conversa- 
tions and briefings including with Turkey president Abdullah Gul, 
Israeli Prime Minister Benjamin Netanyahu, and His Majesty King 
Abdullah of Jordan, it became increasingly clear that Iran is the 
most destructive and malicious actor in the region, and will persist 
in antagonizing the United States and our allies, especially the 
State of Israel. 

As Iran’s illicit nuclear program continues to inflame tensions be- 
tween Tehran and the West, I am struck by the emergence of an- 
other possible avenue of attack emanating from Iran — the possi- 
bility that Iran could conduct a cyber attack against the United 
States homeland. Now, many will discount this threat just as many 
ignored the possibility that Iran would conduct any kind of attack 
on American soil. Well, this assumption was proven woefully wrong 
when last year’s plot to kill the Saudi Ambassador was uncovered. 
Now we are adjusting to a realistic understanding of Iran’s intent 
to conduct terror attacks and to kill innocent Americans in the U.S. 
homeland, we cannot blind ourselves to this new threat. After all, 
if Iran is willing to blow up a Washington restaurant, and kill in- 
nocent Americans, we would be naive to think that Iran could 
never conduct a cyber attack against the United States homeland. 

Earlier this year, in testimony before the Senate Intelligence 
Committee, Director of National Intelligence James Clapper clearly 
stated that Iran’s intelligence operations against the United States, 
including cyber capabilities, have dramatically increased in recent 
years in depth and complexity. What I view as a private-sector val- 
idation of the cyber threat posed by Iran, Google executive Chair- 
man Eric Schmidt recently stated the Iranians are talented in 
cyber war for some reasons we don’t fully understand. 

In the event of a military strike against Iranian nuclear facili- 
ties, former director of the National Counterterrorism Center, Mi- 
chael Leiter, assessed that a cyber attack conducted by Iran — 
Tehran against the United States, would be reasonably likely. 

The threat of cyber warfare may be relatively new, but it is not 
small. Iran has reportedly invested over $1 billion in developing 
their cyber capabilities, and it appears they may have already car- 
ried out attacks against organizations like the BBC, and Voice of 
America. There have been reports that Iran may have even at- 
tempted to breach the private networks of a major Israeli financial 
institution. Iran is very publicly testing its cyber capabilities in the 
region, and in time, will expand its reach. 
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Other nations such as Russia and China may have more sophisti- 
cated cyber capabilities, but there should be little doubt that a 
country that kills innocent civilians around the world, guns down 
its own people, and calls for the destruction of the State of Israel, 
would not hesitate to conduct a cyber attack against the United 
States homeland. 

That is why today’s hearing is so important. 

I want to thank you for joining us today, and I look forward to 
hearing from our witnesses. 

[The statement of Mr. Meehan follows:] 

Statement of Chairman Patrick Meehan 
April 26, 2012 

WELCOME 

I would like to begin today by thanking Chairman Lungren and Ranking Member 
Clarke, and all the Members of the Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies for joining us here today to examine the 
threat posed by Iran in the cyber arena. The combination of our expertise on 
counterterrorism and intelligence and your expertise on cybersecurity will inform 
and enhance our discussion, and I look forward to hearing from you and our panel. 

IMPORTANCE OF JOINT HEARING 

I believe this joint hearing represents the attitude we must have when confronted 
with emerging threats that may not be adequately understood. In my view, the 
adaptability, flexibility, and willingness to erase institutional barriers called for in 
the 9/11 Commission Report is on display here, with each of us bringing our own 
expertise to study a threat which crosses borders and cannot easily be put into one 
box. While Chairman Lungren and his colleagues on the CIPST subcommittee have 
studied the “ins” and “outs” of protecting our Nation’s critical infrastructure from 
cyber attack, the Members of the CTI subcommittee have spent a lot of time exam- 
ining the threat posed by Iran, the world’s largest state sponsor of terrorism, and 
its proxies, including Hezbollah. 

PAST SUBCOMMITTEE IRAN EXAMINATIONS 

For the Subcommittee on Counterterrorism and Intelligence, this hearing is a con- 
tinuation of our previous work examining the threat from Tehran. Last year, our 
subcommittee examined the Hezbollah presence in Latin America that detailed the 
recently exposed Iranian government plot to conduct a brazen terror attack here in 
Washington, DC. I have also recently returned from the region, where I met with 
defense and intelligence officials and government leaders in Israel, Turkey, and Jor- 
dan. After in-depth conversations and briefings, including with Turkey President 
Abdullah Gul, Israeli Prime Minister Benjamin Netanyahu, and His Majesty King 
Abdullah of Jordan, it became increasingly clear that Iran is the most destructive 
and malicious actor in the region and will persist in antagonizing the United States 
and our allies, especially the State of Israel. 

EMERGING CYBER THREAT FROM IRAN 

As Iran’s illicit nuclear program continues to inflame tensions between Tehran 
and the West, I am struck by the emergence of another possible avenue of attack 
emanating from Iran: The possibility that Iran could conduct a cyber attack against 
the U.S. homeland. 

Many will discount this threat — just as many ignored the possibility that Iran 
would conduct an attack on American soil. This assumption was proven woefully 
wrong when last year’s plot to kill the Saudi Ambassador was uncovered. Now that 
we are adjusting to a realistic understanding of Iran’s intent to conduct terror at- 
tacks and kill innocent Americans in the U.S. homeland, we cannot blind ourselves 
to this new threat. After all, if Iran is willing to blow up a Washington restaurant 
and kill innocent Americans, we would be naive to think Iran would never conduct 
a cyber attack against the U.S. homeland. 
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SENIOR OFFICIALS WARNING 

Earlier this year in testimony before the Senate Intelligence Committee, Director 
of National Intelligence James Clapper clearly stated: “Iran’s intelligence operations 
against the United States, including cyber capabilities, have dramatically increased 
in recent years in depth and complexity.” In what I view as a private sector valida- 
tion of the cyber threat posed by Iran, Google Executive Chairman Eric Schmidt re- 
cently stated, the “Iranians are unusually talented in cyber war for some reason we 
don’t fully understand.” And, in the event of a military strike against Iranian nu- 
clear facilities, former director of the National Counterterrorism Center Michael 
Leiter assessed that a cyber attack conducted by Tehran against the United States 
would be “reasonably likely.” 

The threat of cyber warfare may be relatively new — but it is not small. Iran has 
reportedly invested over $1 billion in developing their cyber capabilities, and it ap- 
pears they may have already carried out attacks against news organizations like the 
BBC and Voice of America. There have been reports that Iran may have even at- 
tempted to breach the private networks of a major Israeli financial institution. Iran 
is very publicly testing its cyber capabilities in the region and, in time, will expand 
its reach. 


don’t ignore this threat 

Other nations such as Russia and China may have more sophisticated cyber capa- 
bilities, but there should be little doubt that a country that kills innocent civilians 
around the world, guns down its own people, and calls for the destruction of the 
State of Israel would not hesitate to conduct a cyber attack against the U.S. home- 
land. That is why today’s hearing is so important. 

I want to thank all of you for joining us today, and I look forward to hearing from 
our witnesses. 

Mr. Meehan. Now, I know that co-Chairman, or the Ranking 
Member Mr. Higgins is expected today at this moment, but until 
such time as he is able to join us at the hearing, the Chairman 
would now recognize Ms. Clarke for any opening comments she 
may have. Thank you. 

Ms. Clarke. Thank you very much, Mr. Chairman. Chairman 
Lungren, Chairman Meehan, thank you for holding this joint hear- 
ing on the Iranian cyber threat. State-sponsored cyber threats from 
Iran and actual attacks from other countries directed at the United 
States, have been a hot topic over the past few years. As you know, 
we have had a number of classified briefings concerning these 
state-sponsored attacks. Our ability to detect, prevent, preempt, 
and deter terrorists and malicious state-sponsored cyber attacks re- 
flect on our capability, and our political will to protect our vital Na- 
tional infrastructure from devastating consequences. 

I am glad my colleague and fellow New Yorker, Mr. Higgins, has 
brought some legislation to bear on the issue we are discussing 
today. His bill would amplify the State Department’s report to Con- 
gress on the proficiencies of Iran cyber and technological capabili- 
ties. This will help us assess Iran’s threat in greater detail. This 
is quite a story to be told about Iran and cyber threats, and I will 
be interested in hearing the testimony today. 

I have seen the report put out by Reporters Without Borders, 
that places Iran on the list of enemies of the internet, describing 
the various censoring techniques that Iran used to control the flow 
of information among its own people. 

The report refers to the government-sponsored cyber police func- 
tion that uses a combination of content filtering and access control. 
The report also mentions the use of distributed denial of service 
cyber attack techniques used as a form of political oppression, 
which it says may or may not be official state-sponsored activity. 
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Reports on Iranian Cyber Army have raised questions about the re- 
gime’s cyber attack capabilities and the extent to which these at- 
tacks are coordinated by the government. Some have said the Ira- 
nian Cyber Army may be a loose confederation of hackers and 
cyber activists similar to other hacking clusters, and may include 
cyber crime networks and other groups. 

One such known as the Ashiyane Digital Security Team, has 
claimed responsibility for hacking into and defacing thousands of 
websites. Both Iranian Cyber Army, and the Ashiyane are alleged 
to have ties with the Iranian government’s revolutionary guard, 
but who can tell? Given the Iranian regime’s control over the inter- 
net and attempts to crack down on citizen’s internet activity, it 
would appear to be a sweeping promotion of hacking without any 
legal or public recourse and suggests a tacit governmental approval 
of these activities. 

Some have said the Iranian Cyber Army resembles a collective 
of regime-backing hackers acting of their own volition; yet it may 
be that the regime has actively leveraged and employed the talents 
of a young population adept with computer tools. In the wake of 
Iran’s presidential election in June 2009, protesters had used Twit- 
ter to skirt government filters to promote, to report events, and or- 
ganize opposition rallies prompting the U.S. State Department to 
request that Twitter reschedule its planned maintenance activities 
in order to ensure access to pro-democracy users. But the Iranian 
regime’s brutal crackdown on the protesters seemingly succeeded. 
Demonstrations are now few and far between, and many of the 
web-based citizen journalists that have documented the uprising 
have been killed, imprisoned, or gone underground; their voices si- 
lenced. 

The most well-known cyber event in Iran occurred late in 2009, 
when this Central European security firm reported the discovery of 
a software worm called Stuxnet, that had infected computers con- 
trolling centrifuges of several Iranian nuclear enrichment plants. 
However, these computers were not connected to the internet, and 
the worm was said to have been injected into those computers 
using an external device such as a thumb drive. Stuxnet may be 
proof of Iran’s vulnerability and the effectiveness of other nation’s 
state cyber arsenals. However, it would be — it would also be pos- 
sible for Iran to gain some knowledge of creating a Stuxnet-like 
virus from analyzing its network effects. 

This leads to fear of reverse engineering leading to a capability 
of the types of cyber attacks on U.S. critical infrastructure that 
could rise to the level of a National security crisis. We must be pre- 
pared for such rogue actions and be prepared on the National de- 
fense level, as well as protecting our critical business operations, 
vital infrastructure functions, and frankly, our daily lives. 

The rapid technological advances in cybersecurity threats over 
the last several years have outpaced our ability as lawmakers to 
keep our laws up-to-date. The needed coordination of the many 
Governmental agencies and private institutions, and the implemen- 
tation of the procedures that would protect our infrastructure, are 
huge undertakings and will continue to have huge challenges. 

We are seeing some of those challenges being played out on the 
House floor this week, and my Ranking Member, Mr. Thompson, 
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is talking about some of the most constructive alternatives to the 
cyber legislation we are considering. Our intelligence community 
and law enforcement agencies face many challenges to anticipate, 
investigate, and respond to cyber threats. 

Simply, all these challenges must be overcome, and protection of 
our infrastructure accomplished without violating our fundamental 
rights of individual privacy that are enshrined in our Constitution. 
With that, Mr. Chairman, I yield back. 

Mr. Meehan. Thank you, Ms. Clarke. Before I begin, let me rec- 
ognize that the gentleman from Texas, Mr. Green, has joined us 
today, and I would like to ask unanimous consent that he be able 
to participate in today’s hearing. Hearing no objection, so ordered. 
Welcome Mr. Green. Thank you for being here with us today. The 
Chairman now recognizes my good friend, the Chairman of the 
Subcommittee on Cybersecurity, Infrastructure Protection, and Se- 
curity Technologies, the gentleman from California, Mr. Lungren, 
for any statement he may have. 

Mr. Lungren. Thank you very much, Mr. Chairman. I want to 
thank all of my colleagues for being here, particularly those from 
our companion subcommittee to meet on a very important subject. 
Those of us in the Congress know that we have an obligation to 
proceed with legislation on important issues such as cybersecurity. 

We have an obligation to conduct appropriate oversight of the 
Executive branch to ensure that they are doing that which needs 
to be done, in concert, or consistent with legislation that has been 
duly passed, but we also have another obligation, it seems to me, 
and that is to raise the knowledge of the public on issues of true 
National and international importance, and cyber security is one of 
those subjects, and we hope that this hearing provides insight into 
possible legislation, insight into oversight, and particularly, helps 
us to raise the public knowledge of this important issue. 

As we all know, communicating through cyber space, is now an 
integral part of the international marketplace, and the global econ- 
omy. Businesses of all sizes, increasingly depend upon it in their 
daily operations as well as for market growth. Individuals utilize 
it on a daily basis. Many people enter into the commercial market 
by way of the internet these days and other uses of cyber space. 

These innovative cyber technologies help U.S. businesses to 
achieve great efficiencies and to run their vital infrastructures. But 
the tremendous opportunities provided by cyber space, are accom- 
panied by obvious vulnerabilities. For instance, along with all of 
the other benefits, with all of the benefits, cyber space is replete 
with nefarious actors, including organized criminals, industrial 
spies, foreign governments taking inappropriate advantage of a 
cyber environment open to all users. The very openness of cyber 
space contributes to its vulnerability, and its possibility of abuse. 

We have been warning about cyber threats in this committee for 
a long time. It has been a bipartisan effort to warn of these 
threats. The Nation’s top Government, intelligence, and military 
leaders often cite the cyber threat as the issue that worries them 
the most. The reason is that a successful cyber attack on a power 
grid, transportation system, or communication networks could crip- 
ple our economy and threaten our National security. Any doubt 
about the physical damage that could be caused by a cyber attack 
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should have been eliminated by the Stuxnet virus. I am happy the 
Stuxnet virus was used by somebody who was a friendly, and it is 
probably the best example of the cyber and physical worlds inter- 
secting. 

Like Aurora, Stuxnet demonstrates that vital critical infrastruc- 
ture can be physically disabled or destroyed by a capable and moti- 
vated enemy, and as we know in those attacks, they were done 
with a certain stealth element to them. That is, the destruction 
took place before the operators that were supposed to protect 
against such destruction were able to even understand that they 
were under attack. 

In addition to these National security concerns, cyber threat 
thefts are also robbing us of our intellectual property. We have had 
examples already of how this has cost U.S. jobs and jeopardized our 
economic future. Cyber threats are real. They are growing in num- 
ber and sophistication. In assessing the Iranian threat to the U.S. 
homeland, we need to examine their motivation, their opportunity, 
and their capability. As the victim of two recent cyber attacks nu- 
clear and oil infrastructure, and multiple U.S. embargoes, Iran, it 
would seem, would have motivation to strike out against those they 
think are responsible, or anybody associated with those they think 
are responsible, or anybody who would stand on the sidelines and 
cheer those efforts. 

The opportunity arises as U.S. critical infrastructure companies 
have been slow to harden their assets against cyber attacks. Unfor- 
tunately, cyber attacks can be launched from any place in the 
world, because cyber space does not recognize borders. The impor- 
tant question when assessing Iran as a cyber threat is their cyber 
capability. American Security Contracting Firm issued a report in 
2008 rating Iran cyber capability among the top five globally. A De- 
cember 2011 report indicated that Tehran was investing $1 billion 
in new cyber warfare technology. 

So let me underscore a point made by the Chairman of our other 
subcommittee. According to the DNI Director Clapper, Iran’s intel- 
ligence operations against the United States including cyber capa- 
bilities, have dramatically increased in recent years, in depth, and 
complexity. 

Since Iran appears to have the necessary cyber capability, we can 
only hope that they will fear attribution and the overwhelming 
U.S. response that would surely follow such an Iranian cyber at- 
tack against our Nation. I look forward, along with my colleagues, 
to the testimony of the distinguished panel this morning on the na- 
ture of the cyber threat from this rogue Iranian regime. Thank you 
very much, Mr. Chairman. 

[The statement of Mr. Lungren follows:] 

Statement of Chairman Daniel E. Lungren 
April 26, 2012 

Communicating through cyber space is now an integral part of the international 
marketplace and the global economy. Businesses of all sizes increasingly depend 
upon it for their daily operations as well as for market growth. These innovative 
cyber technologies help U.S. businesses achieve great efficiencies and run their vital 
infrastructures. However, along with all the benefits, cyber space is replete with ne- 
farious actors — including organized criminals, industrial spies, and foreign govern- 
ments taking inappropriate advantage of a cyber environment open to all users. 
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We have been warning about cyber threats in this committee for a long time. The 
Nation’s top Government, intelligence, and military leaders often cite the cyber 
threat as the issue that worries them the most. The reason is that a successful cyber 
attack on our power grid, transportation systems, or communication networks could 
cripple our economy and threaten our National security. Any doubt about the phys- 
ical damage that can be caused by a cyber attack should have been eliminated by 
the Stuxnet virus. Stuxnet is the best example of the cyber and physical worlds 
intersecting. Like Aurora, Stuxnet demonstrates that vital critical infrastructure 
can be physically disabled or destroyed by a capable and motivated enemy. 

In addition to these National security concerns, cyber thefts are also robbing us 
of our intellectual property, costing U.S. jobs and jeopardizing our economic future. 
Cyber threats are real and growing in number and sophistication. 

In assessing the Iranian threat to the U.S. homeland, we need to examine their 
motivation, opportunity, and capability. As the victim of two recent cyber attacks 
(nuclear and oil infrastructure) and multiple U.S. embargoes, Iran clearly has moti- 
vation to strike us. 

Their opportunity arises as U.S. critical infrastructure companies have been slow 
to harden their assets against cyber attacks. Unfortunately, cyber attacks can be 
launched from any place in the world because cyber space doesn’t recognize inter- 
national borders. 

The important question when assessing Iran as a cyber threat is their cyber capa- 
bility. An American security contracting firm issued a report in 2008 rating Iran’s 
cyber capability among the top five globally. A December 2011 report indicated that 
Tehran was investing $1 billion in new cyber warfare technology. According to DNI 
Director Clapper, “Iran’s intelligence operations against the U.S., including cyber ca- 
pabilities, have dramatically increased in recent years in depth and complexity”. 

Since Iran appears to have the necessary cyber capability, we can only hope that 
they will fear attribution and the overwhelming U.S. response that would surely fol- 
low such an Iranian cyber attack against our Nation. 

I look forward to the testimony of our distinguished panel this morning on the 
nature of the cyber threat from this rogue Iranian regime. 

Mr. Meehan. Thank you, Mr. Lungren. The Chairman now rec- 
ognizes the Ranking Minority Member of the Subcommittee on 
Counterterrorism and Intelligence, my good friend, the gentleman 
from New York, Mr. Higgins, for any statement he may have. 

Mr. Higgins. Thank you, I would like to thank both Chairman 
Lungren and Meehan for holding this important hearing. It is also 
a pleasure to hold this hearing are Ranking Member Clarke, a fel- 
low Member from New York. I would also like to thank the wit- 
nesses for appearing here today. Cyber threat is a threat that 
knows no limit, and has no boundaries. We know that Iran poses 
a threat to our cybersecurity. We also know that our information 
technology has massive vulnerabilities. We know that our depend- 
ence on technology is pervasive and growing. We know that our 
moving forward as a Nation depends on our having a robust, com- 
prehensive cybersecurity policy in place. Therefore, we must have 
legislation and policies that not only examine the threat, but also 
protect critical infrastructure and promote research and develop- 
ment that will ensure that we have the proper protocols in place 
to prevent a cyber attack. I look forward to hearing the testimony 
and I yield back. 

Mr. Meehan. Thank you. Ranking Member Higgins. Other Mem- 
bers of the committee are reminded that opening statements may 
be submitted for the record. Now we are pleased to have a distin- 
guished panel of witnesses before us today on this very, very im- 
portant topic. Let me first give the biography of Mr. Frank Cilluffo. 
He is the associate vice president and director of the Homeland Se- 
curity Policy Institute at George Washington University, where he 
directs the homeland security efforts from policy, research, edu- 
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cation, and training on a wide range of homeland security matters 
including counterterrorism and cyber threats. 

Before joining the staff at GW, Mr. Cilluffo served as the special 
assistant to the President for Homeland Security. Shortly following 
September 11, 2001 terrorist attack, Mr. Cilluffo was appointed by 
President Bush to the newly-created Office of Homeland Security, 
and served as the principal advisor to Governor Tom Ridge. 

Prior to his White House appointment he spent 8 years in senior 
policy positions for the Center for Strategic and International Stud- 
ies where he directed numerous committees and task forces home- 
land defense. 

We are also joined by Mr. Ilan Berman, Mr. Ilan Berman is the 
vice president of the American Foreign Policy Council in Wash- 
ington, DC. Mr. Berman is an expert on regional security in the 
Middle East, Central Asia, and the Russian Federation. He has 
consulted for both the United States Central Intelligence Agency, 
and the United States Department of Defense, and provided assist- 
ance on foreign policy and National security issues in a range of 
Governmental agencies and Congressional offices. He is a member 
of the associated faculty at Missouri State University’s Department 
of Defense, and Strategic Studies. 

Last, we are joined by Roger Caslow. He is an executive cyber 
consultant for Suss Consulting. Prior to joining Suss, Mr. Caslow 
served as the chief of risk management and information security 
programs for the chief information officer of the intelligence com- 
munity. In this role, he is responsible for the development, imple- 
mentation, and oversight of multiple risk management policies, se- 
curity programs, and technology solutions supporting the intel- 
ligence community, and DoD. He has led the intelligence commu- 
nity in partnering with the National Institute of Standards, at all 
phases of planning, development, and delivery of significant body 
of Federal security guidance. He has held a number of positions 
with the DoD and intelligence community, including senior policy 
and plans leader for the chief information officer. 

I welcome each of the witnesses today, and the Chairman now 
recognizes Mr. Cilluffo to testify. 

STATEMENT OF FRANK J. CILLUFFO, ASSOCIATE VICE PRESI- 
DENT AND DIRECTOR, HOMELAND SECURITY POLICY INSTI- 
TUTE, THE GEORGE WASHINGTON UNIVERSITY 

Mr. Cilluffo. Chairman Meehan, Chairman Lungren, Ranking 
Members Higgins and Clarke, thank you for the opportunity to ap- 
pear before you today. As you will note from my prepared remarks, 
it is difficult to compress such a complex set of issues into 5 min- 
utes, coupled with the fact that I have never had an unspoken 
thought, but hopefully we can delve into some of the specificities 
during the Q&A. 

First, I don’t think it is a newsflash to underscore that we as a 
country still have a lot of work to do on the cyber front. I think 
it is appropriate and fair to suggest, while an imperfect analogy, 
that our cyber community is where our homeland community was 
shortly after 9/11. 

Second, compounding the specific challenge before us, you cannot 
effectively evaluate, assess, and ultimately address the Iranian 
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cyber threat through a counterterrorism, homeland security, cyber- 
security, or infrastructure protection lens alone; rather, the com- 
plexity demands that we look at it through a prism that incor- 
porates all of these views. Let me just also applaud both Chairmen 
that you saw the need to do some cross-committee pollination on 
some of these issues. 

Iran through its Islamic Revolutionary Guard Corps, associated 
Quds Force, and its proxies have long had the United States in 
their cross-hairs. Up until 9/11 it was Iran’s chief proxy, Hezbollah, 
that held the mantle of the deadliest terrorist organization, having 
killed more Americans up to that point than any other terrorist 
group. 

The current climate is particularly challenging and concerning, 
however, because the level of tension appears to be rising. We have 
seen an uptick in attempted and actual attacks on and assassina- 
tions of Israeli, Jewish, tJ.S., and Western interests from Beirut to 
Baku, to Bangkok and, of course, the recent assassination attempt 
on the Saudi Ambassador on the U.S. soil. 

Against this backdrop, getting ahead of the Iranian cyber threat 
to the United States is all the more relevant and all the more time- 
ly. The reach of Iran’s proxies have gone global. Hezbollah activi- 
ties now stretch from West Africa to the tri-border area of Argen- 
tina, Brazil, and Paraguay. Within the United States, there have 
been 16 arrests in 2010 of Hezbollah sympathizers seeking stinger 
missiles, M-4 rifles, and night vision equipment. Based on this re- 
cent activity, the Los Angeles Police Department has elevated the 
government of Iran and its proxies to a tier 1 threat. 

Notably, the city of Los Angeles, contains the most active 
Hezbollah presence in this country, and Los Angeles happens to 
also be home to the largest ethnic Iranian population outside of 
Iran itself. 

Law enforcement officials have also observed a striking conver- 
gence of crime and terrorism, a trend highlighted, I might note ear- 
lier this week by Defense Secretary Panetta, and further reinforced 
by SOUTHCOM Commander General Fraser. Hezbollah’s nexus 
with criminal activity is greater than that of any other known ter- 
rorist group. These links, including with gangs and cartels, gen- 
erate new possibilities for outsourcing, and new networks that can 
facilitate terrorist travel, logistics, recruitment, and operations, and 
I might note, including cyber. 

Moreover, authorities have noted significant terrorist interest in 
the tactics, techniques, and procedures of smuggling drugs and peo- 
ple into the United States. These developments suggest that our 
long-standing frames of reference, our so-called red lines, have 
shifted. First and foremost, whereas previously Iran and it proxies 
targeted U.S. interests and personnel abroad, the cleave between 
here, our homeland, and overseas is wearing away as these two 
fronts merge. As you know in cyber, where we particularly know 
no borders, this has great resonance. 

As you mentioned, the Director of National Intelligence, General 
Clapper, was very bold in stating now that Iran is now more will- 
ing to conduct an attack in the United States. I might note that 
his assessment has been echoed by many others in the National se- 
curity and law enforcement community of late. 
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Let me state a couple of very quick words, specifically on Iran 
cyber attack capabilities. As has been mentioned, Iran is investing 
heavily in building its cyber warfare capabilities, including stand- 
ing up the Iranian Cyber Army, which is in addition to their more 
conventional and traditional electronic warfare capabilities, which 
were quite sophisticated to begin with. Recent open-source and 
public incidents demonstrate a growing level of sophistication. 

Ms. Clarke, you mentioned many of the examples earlier today, 
but I might note there is one that you did not mention, that I 
thought demonstrated the highest level of sophistication, and that 
was the recent hack of a security certificate company in the Neth- 
erlands, a Dutch company, that demonstrated not only their hack- 
ing skills, but their ability to manipulate data as well. 

Prior to the official pronouncements regarding the Iranian Cyber 
Army, numerous hacker groups have operated pro-regime groups in 
Iran. These range from the broader Basige, to the recent stand up 
of the Cyber Hezbollah, and perhaps the most sophisticated group 
from a trade craft perspective, the Ashiyane. It in increasingly be- 
coming clear, however, that the IRGC is not only cultivating, but 
also guiding, and I think trying to assume control over these var- 
ious organizations. 

These developments aside, the good news is that if you were to 
rack and stack the greatest cyber threats in nations, Iran is not at 
the top of the list. Russia, PRC, and others are. The bad news is 
is what they lack in capability, they make up for in intent, and are 
not as constrained as other countries may be from engaging in 
cyber attacks or computer network attacks. Given Iran’s history to 
employ proxies for terrorist purposes, there is little, if any, reason 
to think that Iran would hesitate to engage proxies to conduct 
cyber attacks against perceived adversaries. 

To paraphrase Mark Twain, whereas history may not repeat 
itself, it tends to rhyme. If they did it in the kinetic and the phys- 
ical world, you can assume that they will be looking to cyber capac- 
ities as well. I know I am over my time, but a couple of very quick 
points. Another thing to think about is cyber basically levels the 
playing field. It provides asymmetry that can give small groups dis- 
proportionate impact and consequence. Whereas they may not have 
the capability, they can rent or buy that capability. There is a 
cyber arms bizarre on the internet. Intent and cash can take you 
a long way, and that is what I think we need to be thinking about. 
I might note that many have assumed and looked at the cyber 
threat more from a contingency or preemptive action that one of 
our allies may have in Iran. I don’t think that bar is there. I think 
that they already feel, as has been mentioned by Mr. Lungren, and 
yourself, Mr. Chairman, and Mr. Higgins as well, that they are 
taking the gloves off right now in a cyber environment. I might also 
note that specifically, the fact that they have tried to demonstrate 
such a capability with the drones, which I don’t necessarily believe 
at all, but they need to demonstrate that capability or they poten- 
tially lose all credibility. So I think now is the time to act. 

[The prepared statement of Mr. Cilluffo follows:] 
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Prepared Statement of Frank J. Cilluffo 
April 26, 2012 

Chairman Meehan, Chairman Lungren, Ranking Members Higgins and Clarke, 
and distinguished Members of the subcommittees, thank you for the opportunity to 
testify before you today. The subject is one of National importance — we, as a coun- 
try, still have work to do in order to best respond to, and get ahead of, threats on 
the cybersecurity front. Indeed, with regard to cyber, the United States is in a posi- 
tion akin to where the homeland security community was shortly after 9/11. This 
is problematic in terms of both cybersecurity and infrastructure protection, as well 
as counterterrorism and intelligence. There are many points of intersection and 
overlap between these two “lenses”; and if recent history has taught us anything, 
it is that bureaucratic stovepiping can have fatal consequences. Your demonstrated 
commitment to tackle the subject under study jointly is therefore all the more com- 
mendable, and indeed a model for moving the Nation forward on the truly difficult 
interdisciplinary challenges that characterize the current National security eco- 
system. 

Iran (its Islamic Revolutionary Guard Corps, and associated Quds Force; the Min- 
istry of Intelligence and Security; etc.) and proxies have long had the United States 
in their cross-hairs. Up until 9/11, in fact, it was Iran’s chief proxy, Hezbollah, that 
held the mantle of deadliest terrorist organization, having killed more Americans 
up to that point than any other terrorist group. The October 23, 1983 bombing of 
the U.S. Marine Barracks in Beirut, Lebanon, cost the lives of 241 soldiers, marines, 
and sailors. 

The current climate is particularly concerning however, because the level of ten- 
sion appears to be rising. We have seen an uptick in attempted and actual attacks 
on and assassinations of Israeli, Jewish, U.S., and Western interests. This past Feb- 
ruary saw apparently coordinated bomb attacks against the embassies of one ally, 
Israel, in the capitals of two others — India and Georgia. February also saw Iranian 
agents in Bangkok prematurely detonate explosives, while preparing devices, result- 
ing in injuries only to the perpetrators. Consider also the recently thwarted Iranian 
plot to assassinate Saudi Arabia’s ambassador to the United States. 

While Iran has sought to distance itself from the incidents described above and 
denied responsibility for them (not credibly mind you), the reach of Iran’s proxies 
has gone global. Hezbollah’s activities now stretch from West Africa to the Tri-Bor- 
der Area of Argentina, Brazil, and Paraguay. Within the United States, there were 
16 arrests of Hezbollah activists in 2010 based on Joint Terrorism Task Force inves- 
tigations in Philadelphia, New York, and Detroit; and the organization has at- 
tempted to obtain equipment in the United States, including Stinger missiles, M- 
4 rifles, and night vision equipment. ^ Based on recent activity, the Los Angeles Po- 
lice Department has elevated the Government of Iran and its proxies to a Tier One 
threat. Notably, the city of Los Angeles contains the most active Hezbollah presence 
in this country (Detroit is their “traditional” U.S. base of operations). Los Angeles 
also happens to be home to the largest ethnic Iranian population outside of Iran 
itself 

Law enforcement officials have observed a striking convergence of crime and ter- 
ror. Hezbollah’s nexus with criminal activity is greater than that of any other ter- 
rorist group. These links, including with gangs and cartels, generate new possibili- 
ties for outsourcing, and new networks that can facilitate terrorist travel, logistics, 
recruitment, and operations. Authorities have noted significant terrorist interest in 
tactics, techniques, and procedures used to smuggle people and drugs into the 
United States from Mexico. According to Texas State Homeland Security Director, 
Steve McCraw, Hezbollah operatives were captured trying to cross the border in 
September 2007. ^ 


1 Immigration and Customs Enforcement, DHS. “Indictment charges 4 with conspiracy to sup- 
port Hezbollah 6 others charged with related crimes,” press release, November 24, 2009. 
Accessed 4/23/12 http: j ! www.ice.gov t news t releases ! 0911 1091124philadelphia.htm\ Mike 
Newall, “Road to terrorism arrests began at Deptford Mall, Moussa Ali Hamdan’s meeting in 
2007 with an undercover FBI informant led to the indictment of 26 with alleged Hezbollah ties,” 
The Philadelphia Inquirer, January 25, 2010. Accessed 4/23/12 http://articles.philly.eom/2010- 

01-25 /news 125210171 1 hezbollah-fbi-informant-indictment\ and Anti-Defamation League, 

“Four Men Indicted in Philadelphia for Attempting to Support Hezbollah,” modified 6/16/2010. 

Accessed 4/23/12 http:/ / www.adl.org/niain Terrorism / Philadelphia hezbollah - 

indictment, htm . 

2 “Terrorists have been arrested on the border, security chief says,” Associated Press, Sep- 
tember 13, 2007. 
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Law enforcement officials also confirm that Shia and Sunni forces are cooperating 
to an extent. For instance, Shia members of Lebanese Hezbollah and Sunni (Saudi/ 
Iraqi) militant forces are drawing on each other’s skills. That said, competition per- 
sists even within Shia circles, including between Lebanese Hezbollah and Iran’s 
Quds Force. 

These developments suggest that our long-standing frames of reference and the 
“redlines” they incorporated have shifted. First and foremost: Whereas previously 
Iran and its proxies targeted U.S. interests and personnel abroad, the cleave be- 
tween here (the homeland) and overseas is wearing away, as the two fronts merge. 
The Director of National Intelligence recently stated that Iran is “now more willing 
to conduct an attack in the United States.”® His assessment does not stand alone. 
In a recent hearing before the House Committee on Homeland Security, the NYPD’s 
Director of Intelligence Analysis asserted that “New York City and its plethora of 
Jewish and Israeli targets could be targeted by Iran or Hezbollah in the event that 
hostilities break out in the Persian Gulf.”^ At the same hearing, the committee 
heard from a former Assistant Director of the FBI that Hezbollah’s fundraising in- 
frastructure in the United States could serve as a “platform” for launching attacks 
against the homeland.® 

With Iran’s nuclear program under scrutiny and sanctions, the potential for esca- 
lation is heightened. As a result of his policy choices. President Ahmadinejad is 
under increasing pressure both internationally and domestically.® The complexity of 
the situation is increased by the tendency of Iran and its allies to conflate the 
United States and our ally Israel in the context of Israeli contingency and attack 
plans. Events from Baku to Bangkok (referenced above) have been characterized by 
some analysts as a “shadow war”.'^ 

The conflict is not limited to the kinetic or to the physical world. In 2010, the 
Stuxnet worm disabled Iranian centrifuges used to enrich uranium. Attribution for 
this attack remains unresolved, although speculation has centered on Israel and the 
United States. The possibility that Iran may feel aggrieved and seek to retaliate, 
even in the absence of proof of attribution, is not to be dismissed — particularly 
against the backdrop of ever-tougher U.S. and global sanctions, and historically tur- 
bulent (at least as measured in decades) bilateral relations with the United States. 
The recent SWIFT sanctions have proven particularly effective in crippling Iran’s 
financial system, adding further pressure.® Iran is also grappling with Duqu, a 
worm which seems “designed to gather data to make it easier to launch future cyber 
attacks.”® 

With Stuxnet, the virtual and real worlds collided, as the worm caused physical 
damage to infrastructure. Former head of the CIA and the NSA, General Michael 
Hayden, has (rightly I would suggest) characterized Stuxnet as both “a good idea” 
and “a big idea” — suggesting also that it represents a crossing of the Rubicon in that 
“someone has legitimated this type of activity as acceptable.”'^® The vulnerability to 
cyber attack of critical systems, including nuclear facilities and supervisory control 
& data acquisition (SCADA)/industrial control systems — with concomitant possi- 
bility of loss of life, and less than fatal but still serious and widespread con- 


® Testimony of James R. Clapper before the Senate Select Committee on Intelligence, World- 
wide Threat Assessment of the U.S. Intelligence Community, January 31, 2012, Washington, DC. 
Accessed 4/18/2012 http:! / www.dni.gov ! testimonies 1 20120131 testimony ata.pdf. 

^'Testimony of Mitchell D. Silber before the U.S. House of Representatives Committee on 
Homeland Security, Iran, Hezbollah, and the Threat to the Homeland, March 21, 2012, Wash- 
ington, DC. Accessed 4/16/2012 http: !! homeland.house.gov ! sites ! homeland.house.gov I files ! 
Testimony-Silber.pdf. 

® Testimony of Chris Swecker before the U.S. House of Representatives Committee on Home- 
land Security, Iran, Hezbollah, and the Threat to the Homeland, March 21, 2012, Washington, 
DC. Accessed 4/22/2012 http: ! lhomeland.house.gov ! sites ! homeland.house.gov ! files ITestimony- 
Swecker.pdf. 

®Rick Gladstone and Alan Cowell, “Iran’s President Unfazed in Parliamentary Grilling,” The 
New York Times, March 14, 2012. Accessed 4/18/12 http: j I www.nytimes.com 12012 103 1 15 ! 

world I middleeast I iran-ahmadinejad-questioned-before-parliament-majlis.html? r=l&page- 

wanted=all. 

"^Andrew R.C. Marshall and Peter Apps, “Iran ‘shadow war’ intensifies, crosses borders,” Reu- 
ters, February 16, 2012. Accessed 4/17/12 http: 1 1 www.reuters.com I article 1 2012 1 02 1 161 us-iran- 
israeTsecurity-idUSTRE81FlE72012021G. 

® Corey Flintoff, “New Sanctions Severely Limit Iran’s Global Commerce,” NPR, March 19, 
2012. Accessed 4/18/12. http:! jwww.npr.org 1 2012 1031 19! 148917208 Iwithout-swift-iran-adrift- 
in-global-banking-world. 

®Yaakov Katz, “Iran Embarks on $lb. cyber-warfare program,” The Jerusalem Post, December 
18, 2011. Accessed 4/16/12. http:! j www.jpost.eom j Defense ! Article.aspxjid=2498G4. 

'®“Fmr. CIA head calls Stuxnet virus ‘good idea,’” 60 Minutes, March 1, 2012. Accessed 

4/20/12. http:! j www.cbsnews.com j 8301-18560 162-57388982 j fmr-cia-head-calls-stuxnet-virus- 

good-idea / . 
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sequences — raises a host of implications for U.S. National and homeland security. 
Potential targets are many and varied, and extend to critical sectors such as finance 
and telecommunications. Assistant to the President for Homeland Security and 
Counterterrorism, John O. Brennan, has stated that U.S. water and power systems 
are under cyber attack almost daily.ii Press reports also suggest that the U.S. nu- 
clear industry has experienced up to 10 million cyber attacks. Even if only one 
attempt were to succeed, the magnitude of the impact could significantly undermine, 
if not shatter, trust and confidence in the system. In addition, cyber capabilities 
may be used as a force multiplier in a conventional attack. 

The good news is that Iran is not as sophisticated as China or Russia insofar as 
computer network exploitation (CNE), cyber attack, and warfare capabilities are 
concerned (to be distinguished from intent). As yet, Iran has not shown itself to be 
a similarly advanced or persistent threat.^® This is not to give Iran a pass. To the 
contrary, U.S. officials are investigating “reports that Iranian and Venezuelan dip- 
lomats in Mexico were involved in planned cyber attacks against U.S. targets, in- 
cluding nuclear power plants.” Press reports based on a Univision (Spanish TV) doc- 
umentary that contained “secretly recorded footage of Iranian and Venezuelan dip- 
lomats being briefed on the planned attacks and promising to pass information to 
their governments,” allege that “the hackers discussed possible targets, including 
the FBI, the CIA and the Pentagon, and nuclear facilities, both military and civil- 
ian. The hackers said they were seeking passwords to protected systems and sought 
support and funding from the diplomats.”!"* 

Cyberspace largely levels the pla3dng field, allowing individuals and small groups 
to have disproportionate impact. This asymmetry can be leveraged by nation-states 
that seek to do us harm, by co-opting or simply buying/renting the services and 
skills of criminals/hackers to help design and execute cyber attacks against the 
United States. For example, do-it-yourself code kits for exploiting known 
vulnerabilities are easy to find and even the Conficker worm (variants of which still 
lurk, forming a botnet of approximately 1.7 million computers) was rented out for 
use.!® jn short, no comfort can be taken from the fact that Iran lacks the sophistica- 
tion of nations such as China, Russia, or the United States. Proxies for cyber capa- 
bilities are available. There exists an arms bazaar of cyber weapons. Adversaries do 
not need capabilities, just intent and cash. 

Iran has a long history of demonstrated readiness to employ proxies for terrorist 
purposes, drawing on kinetic means. There is little, if any, reason to think that Iran 
would hesitate to engage proxies to conduct cyber strikes against perceived adver- 
saries. To paraphrase Mark Twain, history may not repeat itself, but it does tend 
to rhyme. Elements of the IRGC have openly sought to pull hackers into the fold;!® 
and the Basij, who are paid to do cyber work on behalf of the regime, provide much 
of the manpower for Iran’s cyber operations. !'! As in the physical world however, we 
must keep in mind when crafting security solutions and response mechanisms that 
Iran is not monolithic: Command-and-control there is murky, even within the IRGC, 
let alone what is outsourced. The attribution challenge associated with cyber space 
is therefore all the more complicated where Iran is concerned. Smoking keyboards 
are hard to find. Cyber space is a domain made for plausible deniability. 

In addition to hired or acquired cyber capabilities, the Government of Iran is, ac- 
cording to press reports, investing heavily ($1 billion) to develop and build out its 


!!John O. Brennan, “Time to protect against dangers of cyberattack,” The Washington Post, 
April 15, 2012. Accessed 4/23/12. http:/ / www.washingtonpost.com /opinions /time-to-protect- 
against-dangers-of-cyberattack /2012 /04/ 15 / glQAdJP8JT_story.html. 

!2 Jason Koebler, “U.S. Nukes face up to 10 miilion cyber attacks daily,” US News & World 
Report, March 20, 2012. Accessed 4/24/12. http://www.usnews.eom/news/articles/2012/03/20/ 
us-nu/tes-face-up-to-lO-million-cyber-attacks-daily. 

!^But note Google executive Eric Schmidt’s statement: “Iranians are unusually talented [at 
cyher warfare] for some reason we don’t fully understand.” “Google admits Iranian superiority 
in cyber warfare,” Payvand, December 18, 2011. Accessed 4/17/12. http://www.payvand.com/ 
news/ 11/ dec / 1189.html 

!* Shaun Waterman, “U.S. authorities probing alleged cyberattack plot by Venezuela, Iran,” 
The Washington Times, December 13, 2011. Accessed 4/18/12 http:/ / www.washingtontimes.com / 
news/ 201 1 / dec / 13/ us-probing-alleged-cyberattack-plot-iran-venezuela / ?page=all. 

Conficker Working Group, “Conficker Working Group: Lessons Learned,” accessed 4/18/12 

http: / / www.confickerworkinggroup. org /wiki/ uploads / Conficker Working Group - 
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!® Golnaz Esfandiari, “Iran Says it Welcomes Hackers Who Work for Islamic Republic,” Radio 
Free Europe, March 07, 2011. Accessed 4/18/12. http: // www.rfeA.org / content / 
iran says it welcomes hackers who work for Islamic republic/ 2330495.html 

17 “The Role of the Basij in Iranian Cyber Operations,” Internet Haganah, March 24, 2011. 
Accessed 4/17/12. http:/ / internet-haganah.com / harchives / 007223.html. 
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own cyber war capabilities, both offense and defensive.^® There is evidence that at 
the heart of IRGC cyber efforts one will find the Iranian political/criminal hacker 
group “Ashiyane.”^® In late 2009 and early 2010, hackers calling themselves the Ira- 
nian Cyber Army struck Twitter and the Chinese search engine Baidu.^® The group 
also appears to have struck Iranian websites managed by the opposition Green 
Movement, with deleterious results for the opposition’s ability to coordinate its ac- 
tivities. The high visibility of these attacks suggests that the Iranian Cyber Army 
and similar groups might be utilized as proxies by Iran’s Islamic Revolutionary 
Guard Corps. In the event of a conflict in the Persian Gulf, similar attacks on pub- 
lic-facing websites could provide Iran an avenue for psychological operations di- 
rected against the U.S. public. Though fluid, hacker groups could be cultivated and 
guided — if not directly managed — by the IRGC. Iran’s ability to conduct Electronic 
Warfare, including the jamming and spoofing of radar and communications systems, 
has been enhanced through its acquisition of advanced jamming equipment. In the 
event of a conflict in the Persian Gulf, Iran might hope to combine electronic and 
computer network attack methods to degrade U.S. and allied radar systems, compli- 
cating both offensive and defensive operations. 

There is also an Iranian “cyber police force”®® that blocks “foreign websites and 
social networks deemed a threat to national security,” with overall policy guidance 
provided by “The Supreme Council of Virtual Space.”®’' Interestingly, a distributed 
denial of service (DDoS) attack against the BBC this year happened to “coincide 
with efforts to jam two of the service’s satellite feeds in Iran.”®® There has also been 
considerable speculation about Government of Iran involvement in a number of 
hacking incidents including against Voice of America, and a Dutch firm in the busi- 
ness of issuing security certificates. Fallout from the latter was significant and af- 
fected a range of entities including western intelligence and security services, 
Yahoo, Facebook, Twitter, and Microsoft.®® 

Not surprisingly, Iran is trying to make its cyber capabilities appear truly mus- 
cular. When a U.S. drone fell into Iranian hands in December 2011, Iranian officials 
were quick to claim that it was brought down by “electronic ambush of the armed 
forces.”®^ The facts surrounding this incident are not all known, but from what U.S. 
authorities suggest, it seems that the drone likely malfunctioned, and perhaps was 
also affected by jamming efforts. Regardless, the fact that Iranian officials went 
public about their supposed capabilities suggests that they plan to do something sig- 
nificant by cyber means, or else they risk losing credibility. 

In June 2011, Hezbollah too entered the fray, establishing the Cyber Hezbollah 
organization. Law enforcement officials note that the organization’s goals and objec- 
tives include training and mobilizing pro-regime (that is. Government of Iran) activ- 
ists in cyber space. In turn and in part, this involves raising awareness of, and 
schooling others in, the tactics of cyber warfare. Hezbollah is deftly exploiting social 
media tools such as Facebook to gain intelligence and information. Even worse, each 
such exploit generates additional opportunities to gather yet more data, as new po- 
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tential targets are identified, and tailored methods and means of approaching them 
are discovered and developed. 

Given all the above evidence of (both conventional and cyber) capability and in- 
tent on the part of Iran and its proxies, the United States requires a robust posture. 
There are steps we can take to shore up our stance and create a more solid platform 
for proactive and, if necessary, reactive purposes. From a counterterrorism and in- 
telligence standpoint, it is crucial to focus on and seek to enhance all-source intel- 
ligence efforts. Such is the key to refining our understanding of the threat in its 
various incarnations, and to facilitating the development and implementation of do- 
mestic tripwires designed to thwart our adversaries and keep us “left of boom.”^® 
Disruption should be our goal. Planning and preparation to achieve this end in- 
cludes information gathering and sharing — keeping eyes and ears open at home and 
abroad to pick up indications and warnings (l&W) of attack, and reaching out to 
and partnering with State and local authorities as well as technical and academic 
communities. Outreach to respected leaders in the community is essential to keep 
channels open, build trust, and foster mutual assistance. These dialogues should 
take place across the board, and not just in major metropolitan centers. The history 
of the Conficker Working Group, captured in a DHS-sponsored lessons learned docu- 
ment, provides examples of the types of relationships that need to be established 
and maintained.^® 

Searching for I&W will require fresh thinking that identifies and pursues links 
and patterns not previously established. The above-described nexus between ter- 
rorist and criminal networks offers new possibilities to exploit for collection and 
analysis. To take full advantage, we will have to hit the beat hard, with local police 
tapping informants and known criminals for leads. State and local authorities can 
and should complement what the Federal Government does not have the capacity 
or resources to collect, and thereby help determine the scope and contours of threat 
domains in the United States. Further leveraging our decentralized law enforcement 
infrastructure could also serve to better power our Fusion Centers. The post-9/11 
shift of U.S. law enforcement resources away from “drugs and thugs” toward 
counterterrorism is, ironically, in need of some recalibration in order to serve 
counterterrorism aims. For the last decade, furthermore, U.S. Government analysts 
have (understandably) focused on al-Qaeda, resulting in a shallower pool of U.S. in- 
telligence on Hezbollah. Recent incidents cited above may provide insight into cur- 
rent tactics, techniques, and procedures, and we should comb through further to 
mine for and learn possible lessons. 

Officials in the homeland security community must undertake contingency plan- 
ning that incorporates attacks on U.S. infrastructure. At minimum, “red-teaming” 
and additional threat assessments are needed. The latter should include modalities 
of attack (such as cyber, and attacks on our critical infrastructures) and potential 
consequences. 

From the perspective of cybersecurity and infrastructure protection, the United 
States should develop and clearly articulate a cyber-deterrence strategy. Computer 
network exploitation directed against us is presently a major issue — we are losing 
billions of dollars in intellectual property as a result. Even more ominous are adver- 
sary efforts underway to engage in the cyber equivalent of intelligence preparation 
of the battlefield, again to be used against us.®® There is simply no other expla- 
nation for the nature and extent of the activity that we have seen so far. Yet, inso- 
far as our response posture is concerned, the current situation is arguably the worst 
of all worlds: Certain adversaries have been singled out in Government documents 
released in the public domain, yet it is not altogether clear what we are doing about 
these activities directed against us.®i The better course would be to undertake and 
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implement a cyber-deterrence policy that seeks to dissuade, deter, and compel both 
as a general matter, and in a tailored manner that is actor/adversary-specific. A 
solid general posture could serve as an 80 percent solution, neutralizing the major- 
ity of threats before they manifest fully. This would free up resources (human, cap- 
ital, technological, etc.) to focus in context-specific fashion on the remainder, which 
constitute the toughest threats and problems, in terms of their level of sophistica- 
tion and determination. To operationalize these recommendations, we must draw 
lines in the sand or, in this case, the silicon. Preserving flexibility of U.S. response 
by maintaining some measure of ambiguity is useful, so long as we make param- 
eters clear by laying down certain markers or selected redlines whose breach will 
not be tolerated. The entire exercise must, of course, be underpinned by all-source 
intelligence. Lest the task at hand seem overly daunting, remember that we have 
in past successfully forged strategy and policy in another new domain devoid of bor- 
ders, namely outer space. 

Sometimes, however, the best defense is a good offense. Yet the U.S. cyber offense 
to defense ratio, at least as represented in the public domain, has skewed over- 
whelmingly to defense.®^ There are some signs of late that this may be changing, 
including newspaper reports suggesting that rules of engagement regarding cyber 
attacks are being developed, and that the Department of Defense is seeking to bol- 
ster its arsenal of cyber weapons.®^ These are encouraging developments, if true, be- 
cause having a full complement of instruments in our toolkit, and publicizing that 
fact (minus the details), will help deter potential adversaries — provided that we also 
signal a credible commitment to enforcing compliance with U.S. redlines. Again his- 
tory provides guidance, suggesting two focal points upon which we should build our 
efforts. One is leadership — we must find the cyber equivalents of Billy Mitchell or 
George Patton, leaders who understand the tactical and strategic uses of new tech- 
nologies and weapons. The other is force protection — not only must we develop of- 
fensive capabilities, but we ought to make sure we develop second-strike capabili- 
ties. We cannot simply firewall our way out of the problem. U.S. Cyber Command 
must both lend and receive support, if our cyber doctrine is to evolve smartly and 
if our cyber power is to be exercised effectively. 

While it is up to the Government to lead by example by getting its own house 
in order, cybersecurity and infrastructure protection do not constitute areas where 
Government can go it alone. With the majority of U.S. critical infrastructure owned 
and operated privately, robust public-private partnerships are essential, as is a com- 
panion commitment by the private sector to take the steps necessary to reinforce 
national and homeland security. Government and industry must demonstrate the 
will and leadership to take the tough decisions and actions necessary in this sphere. 

Lest the incentives to do so not be clear to all by now, consider the words of the 
FBI’s then-executive assistant director responsible for cybersecurity, Shawn Henry, 
who said: “We’re not winning.” He illustrated his conclusion by citing a company 
that, due to hackers, lost 10 years of effort (R&D) and the equivalent of $1 billion.^’' 
While we cannot expect the private sector to defend itself alone from attacks by for- 
eign intelligence services, we need to do a better job (as a country) of making the 
business case for cybersecurity. Failure to shore up our vulnerabilities has National 
security implications. Yet crucial questions remain open, such as how much cyberse- 
curity is enough, and who is responsible for providing it? 

The facts in this case support the need for standards, as identified and self-initi- 
ated (along with best practices) by the private sector, across critical industries and 
infrastructures, together with an enforcement role for Government, to raise the bar 
higher — in order to protect and promote, not stifle, innovation. The economic and 
intellectual engines that made this country what it is today are, arguably, our great- 
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est resource. They will power us into the future too, so long as we act wisely and 
carefully to foster an environment in which they can continue to thrive and grow. 
To be blunt, legislation of the type described is needed, and it is needed now, in 
order to remedy crucial gaps and shortfalls, and hold critical infrastructure owners 
and operators accountable, by focusing on behavior rather than regulating tech- 
nology. 

At the same time, a mix of incentives is needed, to include teix breaks, liability 
protections, and insurance premium discounts, for private owners and operators of 
critical infrastructure to take the steps needed to help improve our overall level of 
security. These measures must also be accompanied by a mechanism to enable and 
encourage information sharing between the public and private sectors. In addition, 
as former director of national intelligence, Admiral Mike McConnell, has suggested, 
the information exchanged must be “extensive, . . . sensitive and meaningful,” and 
the sharing must take place in “real-time” so as to match the pace of the cyber 
threat. There must be “tangible benefits” for those yielding up the information.^® 

In conclusion, now is the time to act. For too long, we have been far too long on 
nouns, and far too short on verbs. Again, I wish to thank both subcommittees and 
their staff for the opportunity to testify today, and I would be pleased to try to an- 
swer any questions that you may have. 

Mr. Meehan. Thank you, Mr. Cilluffo. That might he something 
you want to develop further in your — in your response to questions. 
Mr. Berman, we now recognize you for 5 minutes. Thank you. 

STATEMENT OF ILAN BERMAN, VICE PRESIDENT, AMERICAN 
FOREIGN POLICY COUNCIL 

Mr. Berman. Thank you, sir, and let me start by thanking you, 
Mr. Chairman, and thanking Chairman Lungren for holding this 
hearing. Like my colleague, I am appreciative of the fact that this 
is a synergistic problem and it is one that lends itself to a syner- 
gistic solution rather than simply holding one-off events. Let me 
also say by way of starting, that I am a subject-matter specialist 
in Iran, rather than infrastructure protection or cybersecurity, so 
I am going to focus my remarks on the political and the strategic 
aspects of the emerging Iranian cyber threat. 

Let me start by saying that I think the question that is being 
posed increasingly here within the Washington Beltway is whether 
or not Iran poses a real and immediate cyber threat to the United 
States, and the conventional wisdom here is that it doesn’t because 
Iran is squeezed by increasingly harsh economic sanctions from the 
United States and the European Union and others, and also be- 
cause Iran, as a result, is weathering significant domestic socio- 
economic malaise. But for those very same reasons, I would make 
the argument that Iranian action against the United States, par- 
ticularly asymmetric action against the United States, is more 
rather than less likely. If you look at the Iranian — the way the Ira- 
nians approach cyber space, they are essentially looking at two geo- 
political drivers that are animating their focus and their attention. 
The first has to do with domestic repression. The Iranian regime 
is erecting what President Obama recently called an electronic cur- 
tain around its population and it is doing so through the construc- 
tion of a National intranet to essentially supplant and cordon off 
Iranian access to the world wide web. It is doing so through the 
passage of new restrictive regulations and rules governing internet 
usage, public internet usage. It is doing so through the passage of 
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penalties relating to content that is deemed inappropriate by the 
Iranian regimes — Iranian regime, and is doing so through the in- 
stallation, acquisition, and installation of technologies, foreign ori- 
gin technologies, such as Chinese origin technologies for the moni- 
toring, filtering, and limiting of access to the internet. 

This focus on the part of the Iranian regime, began in earnest 
after June 2009, when the fraudulent re-election of Iranian Presi- 
dent Mahmoud Ahmadinejad catalyzed a groundswell of opposition 
from the Iranian street. The Iranian opposition elements at the 
time leveraged the internet extensively in their protests, and as a 
result, the Iranian regime responded in that domain as well. 

It has been successful. If you look over the last year or so, it is 
very clear that the Iranian Green Movement as it is called, has mi- 
grated into the ether. It has migrated into the internet, and the re- 
gime has followed them there. If you look at the new restrictions 
that are being passed by the Iranian regime in terms of access to 
Facebook, and Twitter, and other accounts, it is very clear that the 
competition and contest between Iran and its opposition is much 
more virtual now than it is actually on the streets, but it is still 
there. 

This focus, though, has been confirmed by what has happened in 
the Middle East over the last year. The Arab Spring has been tout- 
ed by Iran as a victory for the Ayatollah Khomeini Islamic Revolu- 
tion, but in practical terms, the anti-regime sentiment that is em- 
bodied by the turmoil that has taken place in Tunisia, and Libya, 
and Egypt is taking place now in Syria and elsewhere, poses a mor- 
tal threat to the Iranian regime on a number of levels. As a result, 
the Arab Spring has confirmed to them the need to clamp down do- 
mestically and isolate their population from these outside sources. 

The second, and for the purposes of this committee, I think more 
important geopolitical driver of Iran’s interest has to do with the 
asymmetric conflict that is already occurring over Iran’s nuclear 
program. We heard earlier in the opening statements about the ap- 
plication of Stuxnet, and Stuxnet is one of at least three, possibly 
more, cyber attacks against — discrete cyber attacks that have 
taken place against the Iranian nuclear program over the last 2 
years or so. 

In policy circles in Washington the question of attribution, where 
Stuxnet and these other malwares came from, who has deployed 
them, is still an open question. But from the Iranian perspective, 
it is not. It is very clear for Iran, that the west writ large has 
launched an asymmetric attack on the Iranian nuclear program 
and it is mobilizing as a response, mobilizing through the creation 
of a $1 billion program to ramp up its cyber defense and cyber of- 
fense capabilities, the construction of a cyber army of sympathetic 
hacktivists, and leveraging attacks against entities such as Twitter, 
such as the Chinese search engine Baidu, such as the BBC. This 
all shows a very clear pattern of increasingly aggressive behavior, 
and it underscores, I think, a fundamental point, which is that Iran 
appears to be moving increasingly from defense to offense in terms 
of how it thinks about cyber space. 

In the opening remarks. Chairman Meehan, you referenced the 
assessment of General Clapper, about how Iran has become in- 
creasingly bold in its strategy. I would make the argument that 
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this represents nothing less than a seismic shift in terms of how 
Iran thinks about the U.S. homeland. In his testimony, General 
Clapper talked about the fact that Iranian officials, probably in- 
cluding the Supreme Leader Ali Khamenei himself, have changed 
their calculus and are now willing to conduct an attack on the 
United States. This has salience with regard to the attempted 
foiled attack in October 2001 against the Saudi Ambassador in 
Washington, but increasingly, it is likely to manifest itself in other 
ways as well, including in the cyber realm. Here Iran has signifi- 
cant capability, and significant intent. 

Last summer, for example, a hard-liner Iranian newspaper affili- 
ated with the Revolutionary Guard, warned the United States, that 
America no longer has the “exclusive capability in cyber space and 
it has underestimated the Islamic Republic,” and now needs to 
worry about “an unknown player somewhere in the world attacking 
a section of its critical infrastructure.” 

Are we ready for this? This is, I think, the most salient question 
of all. The past year has seen a dramatic expansion on the part of 
the United States in terms of Governmental awareness of cyber 
space as a domain for conflict. But this attention is still uneven, 
I would argue. It focuses largely on network protection and resil- 
iency, particularly in the military arena, and on threat capabilities 
from China, and from Russia. Serious institutional awareness of 
the threat from Iran and the cyber warfare potential of Iran, has 
lagged behind the times and so has the Governmental response to 
it. 

So why does this matter? I would argue that it matters for three 
reasons: First of all, it matters because operationally, an Iranian 
cyber attack may look similar to a Chinese cyber attack, or a Rus- 
sian cyber attack, but there are key differences. The first is with 
regard to targeting objects. Iran has, in both its public statements 
and its writings, talked extensively about U.S. critical infrastruc- 
ture. 

Mr. Meehan. Mr. Berman, can I do this? I am going to pursue 
that specific line of questioning with you as soon as I have an op- 
portunity. I want you to articulate more on that. Allow me to move 
with Mr. Casio w at this point in time, and we will return to that. 

Mr. Berman. Absolutely, thank you, sir. 

[The prepared statement of Mr. Berman follows:] 

Prepared Statement of Ilan Berman 
April 26, 2012 

Congressman Lungren, Congressman Meehan, distinguished Members of the sub- 
committees: Thank you for the opportunity to appear before you today to address 
the cyber warfare capabilities of the Islamic Republic of Iran, and the threat that 
they pose to the U.S. homeland. 

Conventional wisdom suggests that the Iranian regime, now being squeezed sig- 
nificantly by sanctions from the United States and Europe and grappling with sig- 
nificant domestic socio-economic malaise, is far from an imminent threat to the 
American homeland (even if it does present a vexing foreign policy challenge for the 
United States and its allies). Yet, over the past 3 years, the Iranian regime has in- 
vested heavily in both defensive and offensive capabilities in cyber space. Equally 
significant, its leaders now increasingly appear to view cyber warfare as a potential 
avenue of action against the United States. 
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IRANIAN CAPABILITIES IN GEOPOLITICAL CONTEXT 

Iran’s expanding exploitation of cyber space can be attributed to two principal 
geopolitical drivers. 

The first are the Iranian regime’s efforts to counter Western influence and pre- 
vent the emergence of a “soft revolution” within its borders. In his March 2012 
Nowruz message to the Iranian people, President Obama alluded to the growing ef- 
forts of the Iranian regime to isolate its population from the outside world when he 
noted that an “electronic curtain has fallen around Iran.”i That digital barrier has 
grown exponentially over the past 3 years, as Iran’s leadership has sought to quell 
domestic dissent and curtail the ability of its opponents to organize. 

The proximate cause of this effort was the fraudulent June 2009 reelection of 
Mahmoud Ahmadinejad to the Iranian presidency, which catalyzed a groundswell 
of domestic opposition that became known colloquially as the “Green Movement.” In 
the months that followed, Iran’s various opposition elements relied extensively on 
the internet and social networking tools to organize their efforts, communicate their 
messages to the outside world, and rally public opinion to their side. In turn, the 
Iranian regime utilized information and communication technologies extensively in 
its suppression of the protests — and thereafter has invested heavily in capabilities 
aimed at controlling the internet and restricting the ability of Iranians to access the 
world wide web.^ 

This focus has only been reinforced by recent revolutionary fervor throughout the 
Middle East and North Africa. For while Iranian authorities have sought to depict 
the so-called “Arab Spring” as both the start of an Islamic awakening and an affir- 
mation of their regime’s worldview,^ the anti-regime sentiment prevalent in the re- 
gion actually represents a mortal threat to their corrupt, unrepresentative regime. 
As a result, the past year has seen a quickening of the regime’s long-running cam- 
paign against “Western influence” within the Islamic Republic. These efforts in- 
clude: 

• The construction of a new, “halal” national internet. This “second internet,” 
which will effectively sever Iran’s connection to the world wide web by routing 
web users to pre-approved, Iranian-origin sites, is currently expected to come 
on-line by late summer 2012.'^ 

• Installation of a sophisticated Chinese-origin surveillance system for monitoring 
phone, mobile, and internet communications.® 

• The passage of new, restrictive governmental “guidelines” forcing internet cafes 
to record the personal information of customers — including vital data such as 
names, national identification numbers, and phone numbers — as well the instal- 
lation of closed-circuit cameras to keep video logs of all customers accessing the 
world wide web.® 

• Movement toward the formation of a new government agency to monitor cyber 
space. Once operational, this “Supreme Council of cyber space,” which will be 
headed by top officials from both Iran’s intelligence apparatus and the Revolu- 
tionary Guards, will be tasked with “constant and comprehensive monitoring 
over the domestic and international cyher space,” and be able to issue sweeping 
decrees concerning the internet that would have the full strength of law.'^ 

The second geopolitical driver of Iran’s interest in cyher space relates to the ex- 
panding conflict with the West over its nuclear ambitions. Since the fall of 2009, 
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Iran has suffered a series of sustained cyber attacks on its nuclear program. The 
most well-known of these is Stuxnet, the malicious computer worm that attacked 
the industrial control systems at several Iranian nuclear installations, including the 
uranium enrichment facility at Natanz, between late 2009 and late 2010. At the 
height of its effectiveness, Stuxnet is estimated to have taken 10 percent or more 
of Iran’s 9,000 then-operational centrifuges off-line.® 

Stuxnet has been followed by at least two other cyber attacks aimed at derailing 
Iran’s nuclear development. “Stars,” a software script targeting execution files, was 
uncovered by the Iranian regime in April 2011.® Subsequently, “Duqu,” a malware 
similar to Stuxnet and aimed at gaining remote access to Iran’s nuclear systems, 
was identified in October/November 2011.^® 

Publicly, the origins of these intrusions are still an open question. Israel has 
steadfastly denied any role in the authorship of Stuxnet or other cyber attacks, de- 
spite widespread speculation to the contrary. The United States, too, has remained 
silent on the subject, although suspicions abound that the CIA played at least some 
part in putting together and deplo 3 dng Stuxnet (and perhaps other malware as 
well).ii 

For the Iranian regime, however, the conclusion is clear. War with the West, at 
least on the cyber front, has been joined, and the Iranian regime is mobilizing in 
response. In recent months, it reportedly has launched an ambitious $1 billion gov- 
ernmental program to boost national cyber capabilities — an effort that involves ac- 
quisition of new technologies, investments in cyber defense, and the creation of a 
new cadre of cyber experts. It has also activated a “cyber army” of activists which, 
while nominally independent, has carried out a series of attacks on sites and enti- 
ties out of favor with the Iranian regime, including social networking site Twitter, 
Chinese search engine Baidu, and the websites of Iranian reformist elements. 

CYBERWAE AND IRANIAN STRATEGY 

In his testimony to the Senate Select Committee on Intelligence this past Janu- 
ary, General James Clapper, the director of national intelligence, alluded to what 
amounts to a seismic shift in Iranian strategy. In response to growing economic 
sanctions and mounting pressure from the United States and its allies, he noted, 
“Iranian officials — probably including Supreme Leader Ali Khamenei — have changed 
their calculus and are now willing to conduct an attack in the United States.”^’' 

Gen. Clapper was referring, most directly, to the foiled October 2011 plot by Iran’s 
Revolutionary Guards to assassinate Saudi Arabia’s envoy to the United States in 
Washington, DC. But, as the international crisis over Iran’s nuclear ambitions con- 
tinues to deepen, Iran’s cyber capabilities should be a matter of significant concern 
as well. Experts have warned that, should the standoff over Iran’s nuclear program 
precipitate a military conflict, Iran “might try to retaliate by attacking U.S. infra- 
structure such as the power grid, trains, airlines, refineries.”^® 

The Iranian regime appears to be contemplating just such an asymmetric course 
of action. In late July 2011, for example, Kayhan, a hardline newspaper affiliated 
with Iran’s Revolutionary Guards, issued a thinly-veiled warning to the United 
States when it wrote in an editorial that America, which once saw cyber warfare 
as its “exclusive capability,” had severely underestimated the resilience of the Is- 
lamic Republic. The United States, the paper suggested, now needs to worry about 
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“an unknown player somewhere in the world” attacking “a section of its critical in- 
frastructure.”^® 

In keeping with this warning, over the past year infrastructure professionals in 
the United States have noted that Iran’s “chatter is increasing, the targeting more 
explicit, and more publicly disseminated.”^^ The Islamic Republic, in other words, 
increasingly has begun to seriously contemplate cyber warfare as a potential avenue 
of action against the West. 

Iran has significant capacity in this sphere. A 2008 assessment by the policy insti- 
tute Defense Tech identified the Islamic Republic as one of five countries with sig- 
nificant nation-state cyber warfare potential.'^® Similarly, in his 2010 book Cyber 
War, former National Security Council official Richard Clarke ranks Iran close be- 
hind the People’s Republic of China in terms of its potential for “cyber-offense. 
These capabilities, moreover, are growing. In his January 2012 Senate testimony. 
General Clapper alluded to tbe fact that Iran’s cyber capabilities “have dramatically 
increased in recent years in depth and complexity.”^® 

PREPARING FOR CYBER WAR WITH IRAN 

Where does the United States stand with regard to a response? The Obama ad- 
ministration has made cybersecurity a major area of policy focus since taking office 
in 2009, and the past year in particular has seen a dramatic expansion of Govern- 
mental awareness of cyber space as a new domain of conflict. But this attention re- 
mains uneven, focused largely on network protection and resiliency (particularly in 
the military arena), and on the threat capabilities of the People’s Republic of China 
and, to a lesser extent, of the Russian Federation. Serious institutional awareness 
of, and response to, Iran’s cyber warfare potential has lagged behind the times. 

Indeed, personal conversations with a range of experts inside and outside of Gov- 
ernment reveal a troubling lack of clarity about the Iranian cyber threat — and the 
absence of serious planning to counter it. While some parts of the Federal bureauc- 
racy (namely U.S. Strategic Command and the State Department’s Nonpoliferation 
Bureau) have begun to pay attention to Iran’s threat potential in the cyber realm, 
as yet there exists no individual or office tasked with comprehensively addressing 
the Iranian cyber warfare threat. The U.S. Government, in other words, has not yet 
even begun to get ready for cyber war with Iran. 

It should. After all, it is not out of the question that the Iranian regime could 
attempt an unprovoked cyber attack on the United States. As the foiled October 
2011 plot against Saudi Arabia’s ambassador to the United States indicates, Iran 
has grown significantly bolder in its foreign policy, and no longer can be relied upon 
to refrain from direct action in or against the U.S. homeland. Far more likely, how- 
ever, is a cyber warfare incident related to Iran’s nuclear program. In coming 
months, a range of scenarios — from a renewed diplomatic impasse to a further 
strengthening of economic sanctions to the use of military force against Iranian nu- 
clear facilities — hold the potential to trigger an asymmetric retaliation from the Ira- 
nian regime aimed at vital U.S. infrastructure, with potentially devastating effects. 

At the very least, it is clear that policymakers in Tehran are actively contem- 
plating such an eventuality. Prudence dictates that their counterparts in Wash- 
ington should be doing so as well. 

Mr. Meehan. Mr. Caslow, I now want to recognize you for your 
5 minutes. 

STATEMENT OF ROGER L. CASLOW, EXECUTIVE CYBER 
CONSULTANT, SUSS CONSULTING 

Mr. Caslow. Good morning, and thank you for inviting me to 
share my testimony today. I do want to emphasize that my back- 
ground is primarily in the realm of cybersecurity as it relates to 
computer and network defense. I am not an Iranian subject-matter 
expert, but I do know how to secure something and lock it down. 
It is an honor to appear before the joint subcommittee to testify 
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about the Iranian cyber threat to the U.S. homeland, and I do hope 
that my testimony is of benefit to create a better defensive posture 
against this stated threat. 

My colleagues here have already identified the threat. They 
scoped it out for us. That is good. Looking from a pure vulner- 
ability perspective and how we go forward and how we attack that, 
according to the 2012 Data Breach Investigations Report from 
Verizon, 97 percent of all reported data breaches were avoidable 
through basic level security controls implementation. Now, let me 
just state, that in order to protect our way of life, we must be pre- 
pared to return to the basics of security, not the flashing glitz of 
a Duqu or a Stuxnet, which I could talk if we wanted to about that, 
but rather the foundational aspects of cybersecurity. 

Once we have secured the basics across all sectors, then and only 
then can we have the greater certainty that the weakest link is not 
as exploitable by those who seek to do us harm. Within the field 
of cybersecurity, this requires ensuring the foundation is secure by 
knowing what is on and connected to our networks, what our basic 
security posture is, and what it should be, and ensuring the right 
people with the right skill sets are building, maintaining, and pro- 
tecting these assets and data. Furthermore, within the cybersecu- 
rity discipline, we require a strong governance structure. Govern- 
ance is far from the most exciting area of cybersecurity, but it is 
foundational to ensure better management of our vulnerabilities 
against our threats. For this to work, we must have clearly defined 
language, write what is meant, and leave little room for negotiation 
as possible. 

Good governance is required for best performance of our Na- 
tional, State, local, and industrial activities. Good governance sup- 
ports better integration of cybersecurity and information technology 
architectures, building in the security requirements up front. Good 
governance supports the adoption of risk-management-based deci- 
sions, which are only as good as the information available to the 
decision makers responsible for the defense of our interconnected 
networks, both public and private. I am going to mention Executive 
Order 13587, which was the structural reforms to improve the se- 
curity of classified networks. That was a good start, however, I be- 
lieve it required more teeth, but it also required better integration 
across all levels to include our industrial partners, less the bu- 
reaucracy overrun the implementation. 

Another not-too-exciting area, is the emphasis on education, 
training, and awareness. Education emphasis, not merely on the 
hard technology engineering skills, but also on the basic critical 
thinking skills which are lost in many technology disciplines. With 
respect to training as a Nation, our standards need to be fully ma- 
tured and established across all sectors. 

We can make improvements by leveraging the private-sector se- 
curity-based and -focused training organizations which are aware 
of the threats, vulnerability, and respective countermeasures. Basic 
awareness of the threats posed to all sectors and elements to our 
society is also important. We still have too many people who are 
ignorant of the threats, and become caught in phishing, spear 
phishing, social engineering, and other types of manipulation, ex- 
ploitation, and exfiltration schemes. 
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Again, all sectors are important and require some level of tar- 
geted awareness campaigns. I consider it more of an op-sec, or an 
operational security against a cyber attack. Now, there is a Na- 
tional initiative for cybersecurity education which evolved from the 
Comprehensive National Cybersecurity Initiative, was intended to 
address many of these education training and awareness issues, 
but has not taken root. I fully understand the concept of measure 
twice and cut once, but when we face the threats we do as a Na- 
tion, the 85 percent solution should be enough to start. More focus 
on results and accomplishments, less talking, will better serve this 
initiative in our overall cybersecurity posture regardless of the 
threat vector. 

Finally, when to seek out and leverage by name, when and where 
possible, specific people, tailorable process, integratable security 
technology solutions. We must allow the security — the subject-mat- 
ter experts to research, propose, implementable processes and tech- 
nology solutions and then put them in place with minimal delay. 
Bureaucracy is not our friend in this arena. 

Now, there are no easy solutions, and we have been speaking to 
these topics for a number of years, but if we are serious about pro- 
tecting our Nation’s interests, we must first secure the basics be- 
fore moving into more advanced methods and techniques. Thank 
you again. I look forward to any questions you might have for me. 

[The statement of Mr. Caslow follows:] 

Prepared Statement of Roger L. Caslow 
April 26, 2012 

Good morning and thank you for inviting me to share my testimony today. My 
name is Roger Caslow ^ and I am an executive consultant with Suss Consulting. My 
background is primarily in the realm of cybersecurity as it relates to computer and 
network defense. It is an honor to appear before this joint subcommittee to testify 
about the “Iranian Cyber Threat to the U.S. Homeland” and I hope that my testi- 
mony is of benefit in to creating a better defense posture against this stated threat. 

According to the 2012 Data Breach Investigations Report, ^ 97% of all reported 
data breaches were avoidable through basic levels security controls implementation. 
Allow me to state that in order to protect our way of life we must be prepared to 
return to the basics of security. Not the flashy and glitzy but rather the 
foundational aspects of cybersecurity. Once we have secured the basics, across all 
sectors, then and only then can we have greater certainty that the “weakest link” 
is not as exploitable by those who seek to do us harm. Within the field of cybersecu- 
rity this requires ensuring that the foundation is secure by knowing what is on or 
connected to our networks, what our basic security posture is and what it should 
be, and ensuring that the right people with the right skill sets are building, main- 
taining, and protecting these assets and their data. 

Furthermore, within the cybersecurity discipline we require a stronger governance 
structure. Governance is far from the most exciting area in the field of cybersecurity 
but it is foundational to ensure better management of our vulnerabilities against 
our threats. For this to work we must have clearly defined language, write what 
is meant and leave as little room for negotiation as possible. Good governance is re- 
quired for best performance of our National, State, local, and industry activities. 
Good governance supports better integration of cybersecurity and information tech- 
nology architectures, building in the security requirements up-front. Good govern- 
ance supports the adoption of risk-management-based decisions, which are only as 
good as the information made available to the decision makers responsible for the 
defense of our interconnected networks, both public and private. Executive Order 
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13587,^ Structural Reforms to Improve the Security of Classified Networks and the 
Responsible Sharing and Safeguarding of Classifkd Information, is a good start but 
it requires more “teeth” and better communication across all levels, to include our 
industry partners, lest the bureaucracy overrun the implementation. 

Another, not-too-exciting area, is the emphasis on education, training, and aware- 
ness (ETA). Education emphasis, not merely on the hard technology engineering 
skills but also on basic critical thinking skills, which are all but lost in many tech- 
nology disciplines. With respect to training, as a Nation our standards need to be 
fully matured and established across all sectors. We can make improvements by 
leveraging the private-sector security-based and -focused training organizations, 
which are aware of the threats, vulnerabilities, and countermeasures. Basic aware- 
ness of the threats posed to all sectors and elements of our society is also important. 
We still have too many people who are ignorant of the threats and become caught 
in phishing, spear phishing, social engineering, and other types of data manipula- 
tion, exploitation, and exfiltration schemes. Again, all sectors are important and re- 
quire some level of targeted awareness campaigns. Consider it as operational secu- 
rity against the cyber attack. The National Initiative for Cyhersecurity Education 
(NICE)'' which evolved from the Comprehensive National Cyhersecurity Initiative 
was intended to address many of the ETA issues but it has not taken root. I fully 
understand the concept of “measure twice and cut once” but when we face the 
threats we do as a Nation, the 85% solution should be enough to start. More focus 
on results and accomplishment, with less talking; will better serve this initiative, 
and our overall cyhersecurity posture. 

Finally, we must seek out and leverage, by name when and where possible, spe- 
cific people, tailorable processes, and integratable security technology solutions. We 
must allow the subject matter experts to research and propose implementable proc- 
ess and technology solutions and then put them in place with minimal delay; bu- 
reaucracy is not our friend in this arena. Also, we must not be afraid to embrace 
the hacker community, but in order to do so we must leverage a different type of 
recruiter. Our talent recruiters going to this community via to the major hacker con- 
ferences, also known as “CONS”, will have little success in three-piece suits. They 
must be people who have the look, feel, and knowledge to speak with this commu- 
nity at the social and technical levels. This is critical to securing the skill sets and 
knowledge base from a community with a greater knowledge of the offensive side 
of the battle. It’s a known fact in sports, combat, and security that knowledge of 
the offensive tactics, techniques, tools, and procedures are of utmost importance in 
further bolstering our defensive posture, and in the case of cybersecurity, securing 
our networks. 

There are no easy solutions, and we have been speaking to these topics for a num- 
ber of years, but if we are serious about protecting our Nation’s interests we must 
first secure the basics before moving onto more advanced methods. Thank you again 
and I look forward to any questions you might have for me. 

Mr. Meehan. Thank you, Mr. Caslow. Thanks to each of the pan- 
elists. The Chairman will now recognize the other Members for 
questions. The Chairman will recognize Members for questions in 
the order in which they were here today. I now recognize myself 
for 5 minutes of questioning. 

I thank all of the panelists for your compelling testimony and I 
believe as we work together as a panel, will explore a number of 
these areas. I could jump in with anybody, but let me begin with 
you, Mr. Berman, because you were touching on some issues that 
I think are important to develop. First, that was a pretty strong 
statement to say that we have experienced a seismic shift in how 
Iran not only views the United States, but its willingness to carry 
out actions against the United States. 

So I would like to have you tell me how you have come to that 
conclusion, and then where you see our cyber capacity as being a 
likely target. Then if you have a moment, I am interested as well 


^Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks 
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in the idea of what we have talked about in which, you know, we 
spent our time with Russia, and China, and so worried — this con- 
cept that we don’t even know what is coming from Iran; the use 
of proxies, which is part of the MO. I think I have given you a little 
bit to jump with, so I would love you to just take off. 

Mr. Berman. Well, thank you, sir, that is a little bit of a tall 
order. I am going to try to do my best to address it. The question 
first of the seismic shift. I think it is very clear, and I don’t know 
if you recall, but I was a witness before this panel last summer 
looking at Hezbollah activity in the Western Hemisphere, and at 
the time, myself, and a number of the panelists that were with me, 
made the point that Latin America, and the Western Hemisphere 
generally, is seen as a staging area, an area of opportunity for the 
acquisition of funding for illicit activity that provide revenue to the 
Iranian regime. 

Mr. Meehan. I note this testimony was prior to the point where 
we were aware of what happened in Mexico. 

Mr. Berman. Exactly right. What you see — or at least what I 
have seen in the months since has been an evolutionary approach 
that Iran has taken towards how it positions itself, vis-a-vis, the 
U.S. homeland. Previously, it would have been very difficult to 
imagine a scenario where the Iranian regime, in any part, would 
authorize such a brazen attack as it did in October — tried to carry 
out in October 2011. There have been many commentaries that 
have cast aspersions on that account with regard to the complexity 
of the plot, the amateurishness of its execution, but the folks that 
I have spoken to, maintain that this was a credible plot. It was one 
that was, perhaps not executed properly, but it is one that signaled 
intent. That intent is, I think, key to this discussion here today. 
Because when you look at the potential for an Iranian cyber attack, 
you have to marry capability and intent. With regard to intent spe- 
cifically, I would argue that Iran has more potentially. 

Mr. Meehan. But you are talking about intent. In fact, capability 
here, that required that they had to penetrate the United States 
physically. Here we are talking about a global network which they 
can access, not only from Iran, but from anywhere the world. 

Mr. Berman. I think that is exactly right, and when you look at 
cyber space, as Mr. Cilluffo said, cyber space is, you know, it is flat. 
It has the advantage being sticky. It is a field that advantages 
asymmetric actors. Iran can reach out and touch us in the U.S. 
homeland via cyber space much more easily than it could via, say, 
Latin America. As a result, the capabilities are an issue, but the 
intent, I would argue, is more of an issue. Here, Iran has an over- 
abundance, because unlike the scenario in our foreign policy that 
we have with China, and with Russia now where conflicts do exist, 
where we have a stable diplomatic relationship, we have a series 
of scenarios that are potentially coming down the pike, a renewed 
diplomatic impasse over Iran’s nuclear program as a result of the 
negotiations, new economic sanctions, potentially even a military 
conflict that could trigger an attack on the part of the Iranian re- 
gime as an asymmetric retaliation. 

Mr. Meehan. Mr. Cilluffo, do you agree that that the United 
States is now the cyber network, as was identified by Mr. Leiter, 
is a traditional terrorist attack target right now? 
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Mr. CiLLUFFO. Unequivocally, when you are looking at Iran, and 
a couple of other points that make cyber space unique. Mr. Chair- 
man, you had just asked a question along those lines of Mr. Ber- 
man. But anonymity, who is behind that clickety-clack of the key- 
board breaking into your system? Are you dealing with a pimply 
kid, or are you dealing with a foreign intelligence service, an orga- 
nized crime, an economic competitor? You simply don’t know much 
of the time at the breach itself. So attribution, while we are mak- 
ing progress, smoking guns are hard to find in the counterter- 
rorism environment; smoking keyboards are that much more dif- 
ficult. I would also note that cyber space is made, I mean, it is 
made for plausible deniability. 

So what we have seen, and the reason I am concerned about the 
Russias and the Chinas is we have seen a sophistication level that 
is very high. But they are in the business right now of CNE, com- 
puter network exploits to steal secrets. If their intent changes, they 
could just flip the switch and it becomes an attack tool. I might 
note that what we have seen that I think is most concerning, and 
certainly to Mr. Lungren’s subcommittee is, we have seen adver- 
saries map critical infrastructures. 

I don’t see what the value of that, the cyber equivalent of intel- 
ligence preparation in the battlefield. I don’t see what that intent 
could be other than to potentially use in a time of crisis. 

Mr. Meehan. So there is a lot of presence within the network 
right now. It is just that they haven’t flipped the switch. Right now 
it is obtaining information, but they haven’t turned it in a 
proactive sense into delivering some kind of an attack. 

Mr. CiLLUFFO. I might note that we tend to look at this only 
through a tech lens. The more sophisticated actors realize that it 
is the convergence of human intelligence, and technical intel- 
ligence, and that is where we should be worried. 

Mr. Meehan. Well, my time has expired. At this point, I would 
like to open it to questions to the Ranking Member Mr. Higgins. 

Mr. Higgins. Thank you, Mr. Chairman. You know, I sense from 
both the substance and the tone of your testimony, there is an un- 
derlying frustration that perhaps we are not doing as much as we 
need to do in order to defend ourselves against a potential threat. 
So let me start with Mr. Caslow. According to the former director 
of the National Counterterrorism Center, Michael Leiter, the 
United States, he says, can likely defend itself against the types of 
cyber attacks of which Iran is capable. Given what you know about 
the vulnerabilities of both the governments, and the private sector 
cyber infrastructure in the United States, do you agree with the 
former director that the United States is capable of handling a 
cyber threat from Iran? 

Mr. Caslow. If I might say, that at the time this statement was 
made, there may have been certain assumptions made as well, 
about the understanding of our networks. The vulnerabilities, as 
technology shifts, vulnerabilities shift. Also, the threat vectors 
shift. I don’t say that I disagree with him, but at the time he was 
probably correct. As of today, I would believe that it would be less 
correct, only because, as my colleagues here have already men- 
tioned, the capability and intent is important. Those feed into the 
risk equation of what threat is. But the other parts of that are 
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equally important. They are not weighted of one more important 
than the other. The other parts of that are the big V of vulner- 
ability, the likelihood, or probability of those things happening, and 
ultimately, the impact of those occurring. 

My personal viewpoint from the years I have been doing this is 
that we can’t consider ourselves looking at one threat vector unless 
we understand our own vulnerabilities. We have to know ourselves 
first and foremost. I do know with certainty from speaking with my 
colleagues across industry and across the Government that it is not 
all boats rising at the same. Unfortunately with the interconnec- 
tion of our networks from the TS all the way through that we have 
the — ^be careful here — we have the known vulnerabilities for a boat 
that is not as high in the water as the others could negatively im- 
pact some of the higher-level boats, to take that analogy further. 
Again, I frequently use analogies with my colleagues who aren’t on 
the technical side, of a house. You have a house, you build your 
structure. You are considered — sir, I am sure you are considered 
with the furniture, or the paint of the color or the varnish on the 
trim, or how the chair rails go in the dining room or what type of 
appliances are inside your home. How often do we investigate how 
deep the footer has been dug. Or is the footer the appropriate 
depth or width, is it maybe the right construction material. All 
these other things are actually ultimately more important in many 
aspects of you having a home that will keep you secure and your 
family secure over the lifetime. The United States of America is my 
home. So I want to make sure that we do secure the foundation, 
the foundation and the building materials and everything that goes 
into that. 

Mr. Higgins. I think the other thing that is often missed in 
terms of counterterrorism is the importance of remaining agile. It 
seems as though, first of all, no technology advances more quickly 
in our society than the technology of killing. Every day new weap- 
ons of mass destruction are being created to kill more people more 
quickly, and it is a big problem. I just think that there is a tend- 
ency to think terrorism 10 years ago is the same terrorism we have 
today. What you have is a new generation of terrorists that are 
more aggressive, that are more technologically savvy and thus 
more dangerous to their potential targets. As has been stated here, 
when you consider the testimony that was been given several 
months ago about the Hezbollah, which acts as a proxy for Syria, 
for Venezuela, for Iran, having not only a presence in the 20-coun- 
try region of Latin America but also having a presence in American 
cities. Their activities we are told is limited to fund-raising. Well, 
I don’t make that distinction. Fund-raising is a component of ter- 
rorist activity. What are you raising funds to do? It doesn’t have 
a beneficial impact on society. 

So I think this is a threat obviously that is very important that 
all of you have emphasized the importance of it, and I appreciate 
your testimony here today. Thank you, I yield back. 

Mr. Meehan. Thank you, Mr. Higgins. The Chairman now recog- 
nizes the Chairman from California, Mr. Lungren. 

Mr. Lungren. Thank you very much. Mr. Berman, only a few 
weeks ago a former director of National Counterterrorism Center, 
Michael Leiter, said or indicated that because of strict financial 
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sanctions facing the Iranian regime they might target international 
financial systems in a cyber attack. Would you agree that our fi- 
nancial institutions would be a prime target for Iran based on mo- 
tivation? 

Mr. Berman. That is an interesting question, sir, and I think I 
would have from what I know about how Iran is weathering the 
international financial sanctions regime, my answer would be “not 
yet”. If you look at what Iran is doing, the attack that Iran has al- 
legedly carried out against financial institutions such as Israel’s 
Banque Poaley, signaling Iranian’s ability to reach out and touch 
and affect and manipulate these financial institutions. Iran as a re- 
sult of the sanctions that have been levied since the start of the 
year by the Obama administration and more recently by the Euro- 
pean tlnion is increasingly dependent on utilizing that financial 
system in places like Venezuela, for example, to circumvent, to 
skirt, to attain another avenue to access international markets as 
these sanctions truly begin to bite. As such Iran at least for the 
moment doesn’t have the incentive or the motivation to attack in 
a catastrophic fashion and take down financial institutions. Will it 
later? Perhaps. If there is an all-out military conflict over its nu- 
clear program. But as of right now I don’t think that threat is ma- 
ture. 

Mr. Lungren. Mr. Cilluffo, I have heard it said that with 
Stuxnet or the public recognition of Stuxnet we have crossed the 
Rubicon; that is, we now have seen expressed in a prime example 
of the ability not only to enter into another’s computer system or 
network but to control it in such a way to cause physical destruc- 
tion. Would you say that is a fair statement? 

Mr. CiLLUEFO. Absolutely. I do think it did cross a Rubicon and 
certainly serves as a harbinger of what we are going to be looking 
to in the future. I might note that I personally feel it was the right 
thing to do. Let me suggest though that those that may have been 
hit may not be as discriminate as perhaps Stuxnet was to affect 
centrifuges. I think the same vulnerabilities that were exploited 
through our various systems could have catastrophic effect on some 
of the various critical infrastructure in the United States. So I 
think we need to inoculate ourselves from a whole host. 

Mr. Lungren. When we talk about asymmetric warfare it is in- 
teresting because one way of looking at it is that the “underdog”, 
the small guy, the one that is less powerful has an opportunity to 
do harm to the stronger adversary at lesser capital investment, 
lesser requirement for manpower, et cetera. At the same time it 
seems to me we ought to look at asymmetric warfare in the terms 
of the war on terror; that is, asymmetric warfare with the purpose 
of doing what? Not just destroying property but causing psycho- 
logical damage to the adversaiy. 

So when we talk about critical infrastructure, one of the things 
that comes to mind with me is our health system is a critical infra- 
structure. If I were to attack the United States one of the things 
it seems to me that would be very effective in an asymmetric way 
would be to attack the health system. If you could invade the infor- 
mation systems of several health systems of the United States such 
that no one could depend on the accuracy of the information con- 
tained therein, someone lying on the surgical table and getting the 
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wrong blood type, information indicating that you ought not to take 
certain medications and it indicating that you ought to take them. 
If you did that in a series of attacks, you wouldn’t have to be suc- 
cessful with too many of them to cause a psychological damage to 
the United States. 

So, I would ask both Mr. Cilluffo and Mr. Caslow whether that 
kind — do we need to appreciate that kind of a difference in terms 
of perhaps the target and the impact? As opposed to our sense of 
conventional warfare view of asymmetric warfare, if that makes 
sense. 

Mr. Cilluffo. Chairman Lungren, I think it does make sense. 
I mean cyber has extended and expanded the battlefield to incor- 
porate all of society. So what we used to look through in a more 
traditional targeting kind of sense, vis-a-vis the military C4ISR 
now has potential to be against us from a critical infrastructure 
perspective. 

Let me just note though that I feel we have nearly limited 
vulnerabilities, limited resources and let’s not forget we have a 
thinking predator and actor that bases their actions on our actions. 
So the best we can really do is get to the point where we are man- 
aging risk. I very much agree with Mr. Caslow’s view, let’s get to 
the 80 percent solution and then focus on specific actors, because 
Iran is not China. You have got different sets of tools that need to 
be brought to bear. Russia is not DPRK, or North Korea. 

So I feel that one biggest missing element of our strategy is we 
don’t have a cyber deterrent strategy. We need to clearly articulate 
one, we need to identify bright red lines in the sand or maybe in 
the silicon more apt and we need to identify what is unacceptable. 
Oh, by the way, we can’t firewall our way out of this problem. We 
need to start talking about offensive cyber capabilities and capac- 
ities. 

Mr. Lungren. Mr. Caslow. 

Mr. Caslow. I fully agree. Your analogy of the health care sys- 
tem brings to light a scenario that we tried to scheme out where 
the health care system connected at one point. If I were to target 
a hospital near a major military installation, let’s take Jackson- 
ville, North Carolina, and maybe I was able to target with some- 
thing like either a Duqu, which they believe to be the precursor for 
Stuxnet, we are not quite sure about yet, something that has the 
ability to attack the SCADA, you tell people it is terminator, it 
really is because now you actually have computers telling machines 
what to do. We have had that capability a long time but now we 
have the adversaries trying to use it in different areas, and granted 
it was a good thing it was used against someone who means us 
well, but the minute it is flipped around on us that is a bad thing. 
They target that hospital with the basic generator backup, they 
take out a power grid around that area as well. They are also able 
to take and attack the water system, parts per million of chlorine 
goes up down depending, and again the read-out says it’s right be- 
cause that is what Stuxnet does. All of a sudden now we have hun- 
dreds of thousands people sick in an area where we have troops 
who are deployed overseas. The ultimate end-game here is not to 
make those people sick. The ultimate end-game is to terrorize our 
troops overseas so that our Marines who are deployed in combat 
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zones can no longer do their mission because they are worried 
about their children, their wives, their grandmothers, whatever, 
who are now ill back on the home front because they are commu- 
nicating with them and now they know they are sick. 

Now that does deplete and impact our ability to carry the war 
out in a physical and kinetic manner overseas. So you are right on 
target, sir, we do have to be worried about that, but again we do 
have to ratchet things down to make sure we do have that strong 
defense, because the tactics, techniques, procedures, a strong de- 
fense is necessary in sports and necessary in the cyber world, but 
in order to do strong defense we have to have the offensive capa- 
bilities together as one. 

Mr. CiLLUFFO. And linebackers in between. 

Mr. Meehan. An appropriate analogy for draft day. The Chair- 
man now recognizes the gentlewoman from New York, Ms. Clarke. 

Ms. Clarke. Thank you very much, Mr. Chairman. My first 
question goes to Mr. Caslow. There are reverse engineering possi- 
bilities associated with the downing of U.S. drones in the advent 
of the Stuxnet virus that presents a possibility of advanced cyber 
weaponry being developed in Iran. In your opinion, is Iran close to 
developing the cyber attack capabilities that present a threat to 
U.S. critical infrastructure? Do you believe that other countries 
with already well-developed cyber weaponry capabilities are aiding 
Iran? 

Mr. Caslow. Again, ma’am, I am not an Iranian expert, I am a 
pure computer network cybersecurity person. 

Ms. Clarke. Right. 

Mr. Caslow. However, to answer your question as best as I pos- 
sibly can, any number of countries, we will go back to the P-3 
downing in China, the reverse engineering capability with their in- 
ability to fully discharge all of the equipment on that platform and 
a number of other areas. Any time that we can get someone who 
has a knowledge base to reverse engineer something that could po- 
tentially create a threat. Now that threat is against a specific tar- 
geted area, it could foreseeably do that. I would never take away 
that possibility, but it is the art of the probability because there 
are a lot of technical aspects involved with the downing of that Pa- 
cific platform as well as downing of a lot of other platforms. So not 
only that, but also the back chatter and how organizations sta- 
tion — the state actors and non-state actors share data and informa- 
tion. We do know this — it was quoted, I guess, the axis of evil and 
previous administration quoted that, used that term. The reality is 
it is beyond an axis, the data streams everywhere, the data flows, 
the internet can go everywhere. I can still go to a dark reading 
room on the internet and download any numb^er of very bad, nasty 
little critters that are out there and then use those same critters 
to attack a network or system. I can buy those capabilities, I can 
download some of them for free. 

So I say, yes. But again this stuff keeps me up at night, it doesn’t 
have to keep you up at night. 

Ms. Clarke. Thank you. Let me just sort of put this in context 
because this week the House is considering several cybersecurity 
bills, including the Cybersecurity Intelligence Sharing and Protec- 
tion Act. I believe that none of these bills that are being considered 
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will provide the country with a comprehensive cybersecurity strat- 
egy, vesting cybersecurity authority in a single domestic Federal 
agency and include robust privacy protections. 

Given the testimony here today on the cyber threat from Iran, 
what would you recommend as the basis for real cybersecurity leg- 
islation that addresses these concerns? 

Mr. Caslow. Thank you for asking that, ma’am, I have been 
doing a lot of reading on CISPA, and as I mentioned before in my 
testimony we do have to ensure that we have the governance piece 
in place. That is important. Integration with industry is exception- 
ally important. I do believe I also mentioned the fact that we re- 
quire some level of emphasis on education, training, and aware- 
ness, which CISPA is lacking in a lot of areas. 

To get away from the privacy aspect, I came from a world where 
it was about the data — the security and the sharing, now I am in 
a world where it is about the privacy and the security. So I under- 
stand those areas fairly well. 

Putting it all in one person’s plate, integrating it, it all depends 
on how it is executed. The old adage goes, the best plan in the 
world poorly executed is not as good as the worst plan in the world 
executed with superiority. So we really need to make sure it comes 
down to the execution. Again as I mentioned, we need to specifi- 
cally state what the intent is. What do we need to get across, not 
allow others to try to misarticulate the intent as in some laws and 
some Executive Orders, it gets down to the actual tactical level at 
the implementation and they are going it must have been 10 of this 
and my experience is it is this far away, it is not even close to what 
the intent is. So we need to make sure that that is clearly stated. 
Here is exactly what we need. I know that may take longer, I un- 
derstand that, but I think that is what is needed. 

Ms. Clarke. Let me just ask Mr. Berman, over the past decade 
have been proposals within the United Nations and other inter- 
national forums for treaties and convention that would ban the de- 
velopment and use of information weapons. Critics counter that as 
a form of cyber arms control and would stifle innovation and favor 
an international norm building approach and code of conduct. 

What international internet governance regime would you rec- 
ommend for countering the Iranian cyber threat? Along those same 
lines how are the State Department’s global internet freedoms ini- 
tiatives deconflicted with NSA and USCYBERCOM’s intelligence 
gathering and warfighting mission? 

Mr. Berman. Well, ma’am, thank you for the question. Since it 
is draft day I may mercilessly punt this over to my colleagues. But 
let me just point out again I am not a cybersecurity specialist. I 
am not in the position to speak about that. I can tell you very that 
parenthetically in my understanding of how the cyber community 
has dealt with the Iran threat specifically, not the cyber threat writ 
large, there is a gap in understanding between the operational, 
what Iran may do, and the political and strategic, what Iran is 
likely to do if something happens in the real world. That seems to 
me to be a gap that needs to be closed. 

Beyond that in terms of what rules, what standards need to be 
applied, I would like to turn it over to my colleagues. 
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Mr. CiLLUFFO. Ms. Clarke, thank you for the question. I am pret- 
ty vocal in terms of my views on this. I would vehemently not sup- 
port a U.N. arms control approach to deal with cyber. If you think 
back to nuclear and it is not a perfect analogy, but as Ronald 
Reagan said, trust but verify. Given some of the attribution chal- 
lenges here and given that the two countries advocating this ap- 
proach, China and Russia, have been known to be active in this 
space, I think we should be very cautious in terms of what their 
intentions are. We are not obviously not going to compromise our 
sources and methods even if we get to 100 percent verification. So 
I would push back on some of those proposals. 

Now, the flip side is that the Council of Europe has a cyber crime 
treaty. Here I think you have got the behavioral level that every- 
one can agree when you are dealing with child predators, you are 
dealing with child pornography, some of the tools that we have 
used in other confines and environments can be brought to bear in 
this environment, and I think we ought to consider some of those, 
but I have very little confidence in the U.N. approach. Quite hon- 
estly I feel we need to get more proactive in some of our offensive 
capabilities because we are not going to firewall — at least to dem- 
onstrate a capability to signal that we are serious and we will re- 
spond. 

Ms. Clarke. Thank you, Mr. Chairman. 

Mr. Meehan. Thank you, Ms. Clarke. At this point in time the 
Chairman recognizes Mr. Cravvack from Minnesota. 

Mr. Cravaack. Thank you, Mr. Chairman. I appreciate it. Being 
an old Navy helicopter pilot, this is a brand-new battlefield, a vir- 
tual battlefield if you will. But some of the things that can go back 
to the basics is the best defense is probably a good offense. 

So my question would be: How can we not only as a Government 
agency but unleash the private sector as well and be able to go 
proactive on if they receive a cyber attack, how can they have a 
counter offense in identifying where this comes from and beat these 
back. Can you give me a comment on that? 

Mr. Caslow. Is this punt the football again? If I could I have ac- 
tually in my written testimony something along those lines. 

Mr. Cravaack. I apologize I was late. I was in another meeting. 

Mr. Caslow. No, I didn’t actually speak to that part, it was just 
purely written. So I am glad. I wanted to cut my time down and 
make sure I was within the 5-minute window. 

Mr. CiLLUFFO. Which was amazing by the way. 

Mr. Caslow. Thank you. I tried to get that right. 

Your point is 100 percent correct. We in our community, both the 
Federal and the industrial side, do have to take a better effort to- 
wards embracing the hacker community. Now there is a lot of 
places I could send you to and hopefully you have your firewall set 
up the right way so you don’t take any nasty critters out with you. 
But lots of places that we have to leverage those. But in order to 
leverage those properly we have to send in a different type of re- 
cruiter. This recruiter cannot be looking like us in a 3-piece suit 
or in a suit and tie, walk in there and go, “Hey, guys, how are you 
doing? I am from the Government, I am from Boeing, let’s give you 
a job.” No. These types have to understand the people, they have 
to have the look, the feel, they have to have the knowledge to 
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speak to this community at the social and technical levels. Again 
I emphasize the word “social” because they do think differently. 
These people understand the hacker community more than any- 
thing. This is everything from the 13-year-old kid sucking down 
Mountain Dew and eating Hot Pockets in their parents’ basement 
to some of the more astute ones like — I will give a name like Dark 
Tangent who is out there and who is known inside the cyber com- 
munity, but we have to be able to leverage those as resources. 
Many of these people are patriots, I will tell you that right now, 
as was seen when it came to the Anonymous attack. A lot of Ameri- 
cans, United States American hackers came and said, “wait a sec- 
ond, you can’t do that to us, only we can do that to us.” So we do 
need to — only my dog, only I can kick it, right? But the reality is 
we need to embrace those more. 

So on that side, again you are right about the offensive nature 
of the game. As a former fleet Marine Force Navy Corpsman, I 
have a grunt mentality towards a lot of these issues. I believe in 
warheads on foreheads. That is a great way to solve a lot of prob- 
lems. This way we do have to embrace the people who actually are 
able to pull the trigger. In this case those people, acknowledged as 
the snipers so to speak, are this hacker community and some of 
these others. But again we are not going to go in recruiting them 
looking like this. 

Mr. Cravaack. My Dad was a Navy guy, 3rd Battalion, 3rd Ma- 
rines. 

You know it is so important what you are saying is that at the 
United States Naval Academy now they have major, cybersecurity. 
I mean that is how important that the Government is finally get- 
ting this. To be honest with you, if you told me about cybersecurity 
5 years ago I would have said, huh? So I am slowly coming around. 
This is a new virtual battlefield. The implications of which are so 
massive, providing with the right attack, that the ramifications are 
unbelievably massive, shutting down grids, you name it. 

Now I look at it from a National security aspect that we really 
have to start focusing on this effort. So I commend you for what 
you are doing. I am schooling myself up quickly on jumping on this 
bandwagon saying that we definitely have to do this. 

Now I am very concerned about Iranians. A small force can over- 
power just like you said and overcoming a Nation and that con- 
cerns me greatly. So the bottom line, I have got 18 seconds, but the 
bottom line is: Do you believe in that philosophy, a better offense 
is probably the best defense? 

Mr. CiLLUFFO. I wrote that in my testimony. So yes, I dis- 
suade — 

Mr. Cravaack. Great minds think alike then. 

Mr. CiLLUFFO. I also think, not to take away from the Navy is 
fine service, but we need the equivalent of Billy Mitchell to work 
at cyber. We have a lot of tactics masquerading as strategy. We 
have to be confident to be able to take these issues in a strategic 
kind of way, and that includes the computer network attack. We 
need to demonstrate capabilities, we need to be visible. What good 
is having a doomsday weapon if no one knows you have it? At the 
end of the day to me it is part of the solution, it is by no means 
the end-state, we still need to build up our defensive capabilities 
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but recognize that the attacker has the advantage here, and we 
need to always be in the front edge of this. 

Mr. Cravaack. Thank you, sir. I yield back, Mr. Chairman. 

Mr. Meehan. Thank you. The Chairman recognizes the 
gentlelady, Ms. Richardson. 

Ms. Richardson. Thank you, Mr. Chairman and both of our 
Chairmen for having this hearing today. First of all, I would like 
to ask the question, back in 2008 the CSIS Commission for Cyber- 
security for the 44th Presidency made 25 recommendations for a 
National cybersecurity strategy. To my knowledge, those have not 
been implemented to this point or at least from a legislative per- 
spective. Do you have any thoughts on that or where you would 
suggest that we go first? 

Mr. Caslow. I am glad you mentioned that because I did ref- 
erence CNCI and we do have the inability to pull the trigger. In 
my previous position, and again I do not represent those opinions 
of the Office of Director National Intelligence. I am a civilian, make 
sure I am perfectly clear on that, but in a previous edition I did 
have a lot of discussion on those. Unfortunately it was a lot of dis- 
cussion. Again we are too busy about trying to measure twice, cut 
once versus trying to just pull the trigger in an 80 to 85 percent 
solution. A lot of those efforts should be, I believe, my personal 
opinion, that they should be enforced from CNCI, 4, 5, 6, 7, 8, all 
the way through and we should take a better look at those again, 
bring in a group of subject matter experts, find out how we are 
going to get it done, potentially craft the legislation that makes it 
happen, and then fund that activity, because while we have got a 
lot of other battles on our front this is very important. It is not just 
important for us but it is important for our children and grand- 
children, lest we don’t have an infrastructure American way of life 
to share with them later. 

Ms. Richardson. Would either of you other gentlemen like to 
comment on the specifics of the 25 recommendations? 

Mr. CiLLUFFO. I don’t remember all the recommendations, but it 
is fair to say in a sound bite, long on nouns, short on verbs. I mean, 
we have talked a lot about the challenge. It is about implementa- 
tion and execution and I don’t want to sound overly dramatic, but 
in 1862 President Lincoln came before Congress with further storm 
clouds on the horizon and claimed as our time is anew we must 
think anew and ultimately act anew. We are there now. We know 
what some of the challenges are. There are great pieces of legisla- 
tion, many others have put forward pieces of legislation. Now is the 
time to actually get into that, identify what really needs to be done 
and pass legislation. This can’t be done through the private — first, 
the Government has to act to get its own house in order first and 
foremost. Then we have to look at what is the right incentive and 
other approaches to get the private sector in. 

Ms. Richardson. I understand. My question was were there any 
specific points that you wanted to make regarding the rec- 
ommendations in particular that you felt should have more of a pri- 
ority or address? 

Mr. CiLLUFFO. Act. 

Ms. Richardson. Okay, got it. 
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Mr. Caslow. If I could, I’m sorry, but if I could, CNCI 8 which 
was the education, training, and awareness which I did speak to, 
that to me is of the utmost importance. Because if we are not com- 
municating and training and we are not making sure we have the 
right skill sets in place, all the technology in the world doesn’t mat- 
ter for anything. 

Ms. Richardson. My last question for the three of you gentle- 
men, are any of you working with any stakeholder groups within 
the Department of Homeland Security or any other Federal agen- 
cy? 

Mr. Caslow. No, ma’am. 

Ms. Richardson. So you do your work completely from the out- 
side? So you are not being sought after to share your thoughts and 
ideas of what should be considered? 

Mr. Berman. Ma’am, not at the moment, no. 

Ms. Richardson. Sir. 

Mr. CiLLUFFO. I stand where I sit, I am not formally involved, 
but of course we share our ideas with every entity, including Con- 
gress and the Executive branch. 

Ms. Richardson. No, my question is: Is there a specific stake- 
holder group that you participate in sharing your ideas and the in- 
formation and knowledge that you have? 

Mr. CiLLUFFO. Not anymore. 

Mr. Caslow. Not since leaving the Government on February 27 
of this year. 

Ms. Richardson. Thank you, gentlemen. I yield back. 

Mr. Meehan. Thank you, Ms. Richardson. The Chairman would 
be delighted to ask Mr. Green and thank him for his attendance 
and his continuing interest in this area and would be delighted to 
accommodate any questions you might have if you do. 

Mr. Green. Thank you, Mr. Chairman, I thank you for allowing 
me to continue to participate. I am an interloper but I do have 
great interest in what is going on. While I cannot “Roger” what my 
colleague from the Navy said, I would like to as a veteran of the 
ghetto wars “Right On” what he said. I totally agree. I would like 
to focus if I may for just a moment on the phrase “we can’t firewall 
our way out of this.” I do understand botnet. I understand Zombie 
Armies, Trojan horses programs, and I have done some reading on 
Stuxnet, but I would hope that you are saying that while we can’t 
firewall our way out of it, we can at least use the firewall to get 
us to that 80 percent that you are talking about and perhaps 
maybe more at some point in the future because firewalls are an 
absolute necessity in doing whatever we can to prevent this. 

So let me just hear more on this question of how firewalls will 
help us to produce some degree of salvation. 

I would also add this, with reference to the plausible deniability, 
I would like someone to give me a comment on how we will at some 
point have to use as much empirical evidence as available to us. 
I am trying to do as my friend did earlier, select my words care- 
fully. I want my diction to be superb because as we move closer 
and closer to having to deal with Iran in what may become an un- 
pleasant way, plausible deniability cannot become a barrier to ac- 
quiring enough empirical evidence to act. 
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So would you please start with the firewall concept and how we 
have to deal with that and then plausible deniability as a means 
of preventing us from acting. 

Mr. CiLLUFFO. Sure, and I didn’t intend to pick on firewalls in 
particular. It was more meant to suggest that defensive measures 
alone, while important and we need to get to that 80 percent solu- 
tion, in itself you can’t expect a corporation to defend itself against 
foreign intelligence services, for example, that are going to use a 
mix of technical means, with human means, and an insider. Those 
are the sorts of challenges. Technology, while important, is agnostic 
but won’t take us all the way. Ultimately the people connection is 
important and we need to be able to share that information. 

So I did not mean to say don’t use your firewall. Please use your 
firewall. But that in itself is not going to take us where we need 
to go. If you think in a counterterrorism environment. Homeland 
Security critical, we needed to work the various issues but if we 
didn’t have that pointy end of the spear, if we didn’t have the days 
like we had in Abbottabad or other sorts of actions, we would never 
be able to ultimately prevail in some of these sorts of challenges. 

So I simply meant to suggest that we need to get, raise the bar, 
raise it high, but recognize that anything above and beyond that 
you can’t incent, you can’t expect the corporations to be able to de- 
fend themselves against that. So that was the purpose of my point. 

Also to suggest that we need to start investing and publicly dis- 
cussing our offensive capabilities because they are there. 

In terms of plausible deniability, that just makes one of the chal- 
lenges in terms of the attacks we are seeing. If I were to suggest 
one technical area to invest in, attribution, attribution, attribution. 

Mr. Green. Yes, sir. 

Mr. Berman. Sir, if I may jump in quickly, again I am not a cy- 
bersecurity specialist but to sort of to revert back to the topic of 
the hearing, I think what is interesting is something that Mr. 
Cilluffo alluded to in one of his answers, which is a cyber deterrent 
strategy, a strategy that marries concepts of deterrence with the 
idea that if someone reaches out and touches us it wouldn’t be good 
for them, it wouldn’t be healthy for them. 

I would point out that over the last 8, 9 years as the inter- 
national community has grappled with the Iranian issue we have 
had an abject lack of a deterrent strategy for dealing with Iran in 
terms of nuclear acquisition, in terms of its actions asymmetrically 
in places like Iraq and Afghanistan, and I would argue that we are 
now facing an area also that is crying out for the need for a more 
robust deterrent strategy so the Iranian regime understands very 
clearly that there are red lines that if they cross in the cyber realm 
would rebound to their profound detriment. 

Mr. Caslow. If I could, too, the concept of firewalls, let’s go to 
the technical side of this now, unfortunately you can say you have 
a firewall. When he said we can’t firewall our way out of this, I un- 
derstood exactly what he meant. A firewall is only good as how you 
establish the firewall. Me, I believe we should put across the main 
solutions all over the place because they are much more active. A 
firewall is a passive mechanism and if not established appro- 
priately and properly, then you can say you have a firewall but I 
will tell you right now more than likely if you had a home network 
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I will hack you, I will get you. If I can’t get you, someone else will, 
especially if you are not maintaining your firewall and ensuring the 
right security controls are in place the right way. 

So it is not only the technologies which you speak of but it is also 
the implementation of those technologies to ensure they are prop- 
erly implemented and secured in accordance with the standards 
that we have to put in place. So again they are only as good as you 
use them. Just like a gun, it is only as good as the person shooting 
it, right? 

Mr. Green. Thank you, Mr. Chairman. I am over my time. 
Thank you and I yield back. 

Mr. Meehan. Thank you, Mr. Green, and for your presence here. 
I know that the panel is ready to conclude, but I am going use my 
prerogative as the Chairman to ask one follow-up which is you 
have both — all three of you at separate times have developed this 
concept of an offensive not just capability but I am also inter- 
preting if I am getting it correctly as the utilization of some kind 
of offensive action in this environment. I certainly recall the days 
of assured mutual deterrence with the nuclear threat, but of course 
we never really used a nuclear weapon. So what is the predicate 
that would allow us to in a country like ours where we are hesitant 
to deliver some kind of an aggressive offensive action unless and 
until we believe we have been attacked? So how do we — would you 
develop this concept of offense in this world where the conclusion 
seems to be we are not going to be able to exclusively simply de- 
fend ourselves from the consistent probes that may turn into an ac- 
tual attack from Iran or China or Russia. What is offense? 

Mr. CiLLUFFO. Mr. Chairman, that is an excellent set of points, 
and I think before we lean too forward in this direction we do need 
to have the tough doctrinal sets of questions. We have a lot of 
strategy, we have a lot of tactics, but there is nothing pulling these 
pieces together. In the midst of that you also need to clearly define 
rules of engagement, which have not been done thus far. But I 
might suggest there are ways to demonstrate capability, such as 
nuclear tests, short of actually delivering such a capability through 
various platforms on a particular actor. 

I might also note that we do need to start thinking of the home- 
land implications. I mean, one of the challenges with cyber weap- 
ons, you use them, you use them once, they can be used against 
you. A, you can reverse-engineer it and use it against you; B, you 
are compromising your golden bullet potentially that you may want 
to use when you really need it. So ultimately we have got to start 
embedding computer network attack and cyber thinking into tradi- 
tional National security and military thinking. Right now we treat 
it a bit as a black art, ooh, ah. At the end of the day if we start 
discussing it as we do every other platform system and TTP that 
can be deployed, then it takes some of that out and we are going 
to want to play to our strengths, because ultimately the greatest 
threat is not cyber unique, it is cyber as a force multiplier to ki- 
netic or whatever else it may be. That is also what we need to be 
worried about defensively in terms of higher-end actors. 

My whole point is if we don’t create these bright lines in the sil- 
icon or in the sand, there is nothing to dissuade, deter, or compel 
people from engaging in the space. We need to start finding the 
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critical infrastructures. If people are mapping that there should be 
consequences. What other reason could they use to map that other 
than to potentially use that as part of a broader attack plan? To 
me that is where the line needs to be crossed. In the exploit busi- 
ness, we are all in the exploit business, so that is a little more dif- 
ficult, but once it starts going to some of these critical infrastruc- 
tures we need to be thinking about that. 

I might also note your committee I think has an obligation and 
the responsibility to be involved in these discussions because there 
are homeland implications if we start moving proactively that we 
need to be ready for defensively. Before we engage in certain mili- 
tary activities, I want to make sure our homeland is protected from 
some of those. 

So these are tough questions, cuts across all committee structure, 
all Executive branch, and truth is we don’t have the doctrine right 
now. We need to start developing it and I would argue discussing 
it, because right now we are kind of in the worst of both places. 

The Office of Director of National Intelligence, the National 
Counterintelligence Executive, NCIX, recently came out naming 
names, calling out Russia and China, stealing billions and tens of 
billions of dollars of our intellectual property. Now we are saying: 
They are doing it, what is the disincentive for them to continue 
doing that? What would an Iran interpret if they see we say it is 
happening and we are not doing much to visibly defend ourselves. 
So I think we need to start having these conversations. 

Mr. Berman. Sir, one parenthetical point, sort of going back to 
the topic of the hearing, I think it is important and both of my col- 
leagues alluded to it as part of their remarks, is that not all threat 
actors are created equal. In this context, specifically in the Iranian 
context, politics matter. In fact they matter a lot. In order for us 
to have a predictive cyber strategy that marries defense and of- 
fense, that includes deterrence, we have to not only think about the 
operational capabilities of these threat actors but also what is hap- 
pening in the real world that might incentivize them to act where- 
as others would not. I think whether you look at, specifically think- 
ing about the military, when you look the at the Pentagon’s recent 
work on developing something resembling a cybersecurity blue- 
print, they have been grappling with precisely this question: At 
what point do you draw a red line that would activate sort of a cas- 
cading series of events that might end up in a real military con- 
flict? This may be a peripheral issue or a conceptual issue for deal- 
ing with Russia or China, at least at the moment, it may be a 
much more actual one with regard to Iran because of what is going 
on in the real world. 

Mr. Caslow. Sir, if I might add to that, let’s go to the establish- 
ment of U.S. Cyber Command, darn good idea, great function. 
DIRNSA, its great leader, I have much respect for the man. Unfor- 
tunately, there is one bad aspect of that, something called posse 
comitatus. The U.S. military cannot exert their arm over domestic 
United States. Right? We all know this, this is the law, that is the 
way it is. The Department of Homeland Security has that purview. 
Homeland Security and NSA as U.S. Cyber Command have inte- 
grated in some aspects, but that is a relationship integration, it is 
not a formal integration. To my knowledge there is no area where 
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this thing has been crossed. While we can do all we can to defend 
the National security systems, both unclassified all the way to the 
TS/SCI, the fact still remains it is our partners who are outside of 
those realms that are sitting on the regular networks, our friends 
of Boeing, Lockheed, wherever all this intellectual property is being 
stolen from, Microsoft, Google, you name it, they are just as at risk. 
There is no way for Cyber Command to exert their force and what 
their ideas are to help that other than the fact that if the Google 
SISO, Information Security Officer, goes to NSA and says: Hey, we 
would like your input on this, how do you recommend we do it? But 
there is no massive, as my colleagues stated, this strategy, this de- 
terrent strategy could articulate some of these things and put those 
in place so we could show these relationships. We could make sure 
we put things out, that we enforce these to make sure. 

Again we can protect the U.S. Government’s infrastructures. I 
have no doubt about that. However, they are going to get us some- 
where else. They are going to get us on the back side, they are 
going to get us on our weak spot. You don’t — you attack the bear 
from the belly, you don’t attack it from the teeth, and that is what 
is going to happen. So I would encourage the look at, and not too 
long of a dialogue, as in some cases have occurred, but the look at 
and the discussion with subject matter experts in all relevant are- 
nas, not just the Government personnel and CEO and SISOs of 
these companies, to get together to try to dialogue and discuss how 
to do it. Again not just one vector, we need to address all the poten- 
tial vectors. Because it very well may come from another side that 
we are not looking. We are treating against termites and all of a 
sudden it is those darn little fire ants from Florida that gets us in- 
stead. Oh, what do we do now? So we need to ensure that we do 
take precautions action to ensure that we address as many as pos- 
sible. In order to do that we have to dialogue, we have to put it 
in writing, put it down, tap it down, and to discuss it. Then we 
start moving the flag. Once we put the flag in the sand, then we 
can start moving it around to somewhere we all can agree on and 
then we take action. 

Mr. Meehan. Your testimony has been compelling. I thank you 
not only for your presence here today and the work you have done 
but for your continuing work of each of you in this critically impor- 
tant area. I think I speak for all of my colleagues on both sides of 
the aisle by virtue of the attention that we are trying to pay into 
this issue too that we value and gain a great deal from your per- 
spective and look forward to working with you in the midst of what 
is a very real and a very genuine, not just challenge, but threat to 
the safety and security of the United States and its interests. 

Thank you so much. I thank the witness for their testimony and 
the Members for their questions. The Members might have some 
follow-up additional questions and if they do and they forward 
those, I will ask if you could be responsive within the 10 days. 

So without objection, the committee stands adjourned. Thank 
you. 

[Whereupon, at 11:45 a.m., the subcommittees were adjourned.] 




APPENDIX 


Questions From Chairman Michael T. McCaul for Frank J. Cilluffo 

Question la. Although Iran is the world’s largest state sponsor of terrorism, it is 
difficult to fully assess Iran’s ability to carry out attacks on-line. However, over the 
last 5 years it has become increasingly clear that Iran’s cyber capabilities are be- 
coming more sophisticated and rank among the best in the world. 

How likely is it that Iran’s leaders would collaborate and/or fund their developing 
cyber capabilities with foreign states like North Korea that are antagonistic to the 
United States, or pass on offensive cyber capabilities to terrorist proxies like 
Hezbollah? 

Answer. Those countries that have the United States in their cross-hairs — includ- 
ing Iran, Cuba, North Korea, and Venezuela — and their proxies (notably Hezbollah, 
in the case of Iran) are assuredly of concern in the cyber context. However, there 
is a need to think differently about cyber, instead of simply invoking traditional 
frames of reference for military cooperation. Models for joint or combined defense 
planning and cooperation must be adjusted to the cyber context. Where cyber is con- 
cerned, tools and techniques, exploits, lessons learned, reconnaissance results, and 
information on targets and vulnerabilities may be (and are) shared frequently be- 
tween and among states and groups — but that does not necessarily signal formal 
sanctioned cooperation. Nevertheless, this type of informal collaboration, particu- 
larly among parties whose posture is antagonistic to the United States, is an issue 
of significant concern. 

By contrast, formal cooperation in the stricter sense of the term is a less likely 
prospect. Indeed, there are several reasons that Iran may not seek that type of co- 
operation to develop their cyber capabilities jointly with other states hostile to the 
United States. Perhaps the most compelling is that there is little need to do so be- 
cause there is a convenient alternative: The equivalent of a cyber arms bazaar al- 
ready exists. Many individuals and organizations stand ready to rent or sell sophis- 
ticated cyber attack capabilities, including hots that could be used to steal informa- 
tion or shut down key elements of physical infrastructure. Moreover, the type of col- 
laboration proposed would require a level of trust between the state parties that 
would seem difficult to achieve, if not unattainable. (The most sensitive information 
is unlikely to be shared though sharing in more general terms is likely, as outlined 
above). Keep in mind that each party could potentially turn the capabilities in ques- 
tion on or against the other. Further, neither party could prevent the other’s use 
of the capabilities against a third entity, and once used the value of the weapon 
drops or may even evaporate, as targets will be able to craft defenses. The signifi- 
cance of each of these potential hurdles should not be underestimated. 

Sharing capabilities with proxies like Hezbollah is an even more likely scenario. 
The exchange could also run in both directions, as Hezbollah has shown itself to be 
an innovative organization, and because cyber capabilities are of special interest to 
sub-state actors, since these tools can help level the playing field. In June 2011, 
Hezbollah established the Cyber Hezbollah organization; and Hezbollah is deftly ex- 
ploiting social media tools such as Facebook to gain intelligence and information. 
It is worth underscoring that Iran has a long history of demonstrated readiness to 
employ proxies for terrorist purposes, drawing on kinetic means. There is little, if 
any, reason to think that Iran would hesitate to engage proxies to conduct cyber 
strikes against perceived adversaries. 

Question lb. A hacker group identified as the Iranian Cyber Army (ICA) has re- 
ceived credit for a number of hacking incidents over the last few years. According 
to reports, the Iranian Cyber Army has used social engineering techniques to obtain 
control over internet domains and disrupt the political opposition in Iran. 

What is the command-and-control relationship between the Iranian Revolutionary 
Guards Corps and this Iranian Cyber Army? 

How does the Iranian Cyber Army fund, train, and recruit hackers? 

( 43 ) 
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Answer. Certainly there is a desire, as manifested in attempts referenced and 
seen in recent reporting and trends, to assert a degree of centralization. However 
Iran is not monolithic. Command-and-control there is somewhat murky, even within 
the Iranian Revolutionary Guard Corps (IRGC), let alone what is outsourced. The 
attribution challenge associated with cyberspace — a domain made for plausible 
deniability — is therefore all the more complicated where Iran is concerned. Yet, ele- 
ments of the IRGC have openly sought to pull hackers into the fold; and the Basij, 
who are paid to do cyber work on behalf of the regime, provide much of the man- 
power for Iran’s cyber operations. There is evidence that at the heart of IRGC cyber 
efforts one will find the Iranian political/criminal hacker group Ashiyane. The high 
visibility of attacks seen to date (including the Iranian Cyber Army’s strike against 
Twitter, the Chinese search engine Baidu, and websites managed by the opposition 
Green Movement) suggests that the Iranian Cyber Army and similar groups might 
be used as proxies by the IRGC. Though fluid, hacker groups are being cultivated 
and guided, if not always directly controlled, by the IRGC. 

Question 2a. The Iranian government recently held a conference in Tehran an- 
nouncing the creation of the Iranian Cyber Defense Center within their military 
forces. The head of Iran’s Passive Defense Organization, Brigadier General Gholam 
Reza Jalali, indicated that the new center may be responsible not only for defensive 
cybersecurity, but also for offensive cyber attacks. 

How likely is it that this center will begin to coalesce the various hacking groups 
(such as the ICA) into a single entity controlled by the IRGC? What are the known 
priorities of the new Iranian Cyber Defense Center and how are they developing 
their cyber workforce? 

Answer. As outlined in my prepared remarks, we have seen efforts on the part 
of elements of the IRGC to pull hackers into the fold to do work on behalf of the 
Iranian regime. The likelihood of these expedient partnerships coalescing into a 
(single) cohesive, coherent, and effective unit is questionable, however, particularly 
if Iran’s history offers any guide to the country’s future. 

Open source reporting on the Iranian Cyber Defense Center is quite scant. Stated 
priorities include countering threats (of cyber attack), training, “controlling access 
to computer networks and establishing cyber defense centers in institutions. 
Workforce development in the cyber domain could prove challenging for Iranian au- 
thorities. Monetary inducements have proved useful for enlisting the skills of the 
Basij, but the supply of talent within the country may well have important limits. 
The young, clever, creative people that truly thrive in this domain may, on balance, 
not he sympathetic to the regime or its aims. This problem is exacerbated by the 
fact that Iran simply does not have the numbers (population base and potential re- 
cruitment pool) that say, China does. 

Question 2b. Iran’s leaders have made concerted efforts to develop friendships 
with other foreign leaders antagonistic to the United States. What is the likelihood 
that foreign countries such as Cuba, Venezuela, North Korea, and others, might col- 
laborate with Iran in developing cyber warfare capabilities? 

Answer. Cuba, Venezuela, and North Korea undoubtedly constitute a troika of 
concern. As detailed above in my reply to Question 1, however, there are several 
reasons that Iran may not seek to formally develop their cyber capabilities jointly 
with other states antagonistic to the United States — but friendships between and 
among these parties could increase the likelihood of cooperation or coordination, de- 
signed to execute attack(s). As detailed in my written testimony, press reports have 
alleged “that Iranian and Venezuelan diplomats in Mexico were involved in planned 
cyber attacks against U.S. targets, including nuclear power plants.” U.S. officials 
are investigating, but media reports have indicated that the hackers who briefed the 
Iranian and Venezuelan diplomats on the planned attacks “sought support and 
funding from the diplomats,” who in turn pledged “to pass information to their gov- 
ernments.” Iran has also shown itself to be ready and willing to partner with non- 
state entities on kinetic plots, such as the recently thwarted one to assassinate 
Saudi Arabia’s ambassador the United States, drawing on the assistance of a Mexi- 
can drug cartel. Given this history, it would not be a stretch for Iran to collaborate 
with other parties hostile to the United States, whether state or non-state entities, 
with the intent of causing harm to the United States. Even a limited goal, meaning 
an attack intended to inflict harm short of defeat of the United States, could still 
have serious repercussions. For example, a cyber attack (or worse, multiple cyber 
attacks) executed against U.S. targets at the same time as one or more of our adver- 
saries make a move in the physical world, such as a push to seize key land or ship- 
ping lanes, could slow or complicate U.S. response so that we are unable to marshal 


^httpij / forum.internet-haganah.com I showthread.php?399-The-woods-are-lovely-dark-and-deep 
and http : / j www.mehrnews.com / enl newsdetail.aspx?NewsID=1472234. 



45 


our power fully and effectively. The result could be “a fait accompli” in the adver- 
sary’s favor. 

The ability to achieve synergy between the physical and cyber dimensions, and 
to embed that capability into political/military strategic planning, would take Iran 
to the next level. Moving forward, therefore, the United States should pay special 
attention to discerning and appreciating developments in this area. 

Questions From Chairman Michael T. McCaul for Ilan Berman 

Question la. Although Iran is the world’s largest state sponsor of terrorism, it is 
difficult to fully assess Iran’s ability to carry out attacks on-line. However, over the 
last 5 years it has become increasingly clear that Iran’s cyber capabilities are be- 
coming more sophisticated and rank among the best in the world. 

How likely is it that Iran’s leaders would collaborate and/or fund their developing 
cyber capabilities with foreign states like North Korea that are antagonistic to the 
United States, or pass on offensive cyber capabilities to terrorist proxies like 
Hezbollah? 

Answer. The full extent of Iranian capabilities is, by its nature, difficult to ascer- 
tain. So, too, is the question of whether the Islamic Republic is currently actively 
collaborating with foreign partners on the development of its cyber potential. How- 
ever, it is worth noting that Iran has in the past worked with countries such as 
North Korea on a number of strategic programs (to include nuclear testing and the 
development of ballistic missiles). As well, Iran’s efforts to isolate its population 
from the world wide web are consonant with China’s attempts to limit access to 
internet content on the part of its citizenry. As such, at least some degree of co- 
operation in the cyber arena can be expected to be taking place between Iran and 
its strategic partners. 

Similarly, Iran is the chief sponsor of Hezbollah, and has aided the Lebanese mili- 
tia in its armament, its political activities, and its expansion beyond the Middle 
East. Iranian assistance to Hezbollah in the development of cyber capabilities thus 
cannot be ruled out, although little is as yet known about Hezbollah’s cyber warfare 
potential. 

Question lb. A hacker group identified as the Iranian Cyber Army (ICA) has re- 
ceived credit for a number of hacking incidents over the last few years. According 
to reports, the Iranian Cyber Army has used social engineering techniques to obtain 
control over internet domains and disrupt the political opposition in Iran. 

What is the command-and-control relationship between the Iranian Revolutionary 
Guards Corps and this Iranian Cyber Army? 

How does the Iranian Cyber Army fund, train, and recruit hackers? 

Answer. The command-and-control relationship between the Iranian Cyber Army 
(ICA) and the IRGC is not presently clear. Formally, the ICA has depicted itself at 
least in part as a self-organizing group — akin to patriotic “hacktivists” present in 
places such as China. However, the ICA’s operations closely mirror regime objec- 
tives, and its targets are overwhelmingly those out of favor with the Iranian regime, 
suggesting tacit official sanction and possibly direction. 

I do not have knowledge about the methods with which the ICA carries out its 
training or recruitment. With regard to funding, however, the connections with offi- 
cial regime entities (such as the IRGC) suggests that at least a portion of the ICA’s 
funding is derived from governmental sources. 

Question 2a. The Iranian government recently held a conference in Tehran an- 
nouncing the creation of the Iranian Cyber Defense Center within their military 
forces. The head of Iran’s Passive Defense Organization, Brigadier General Gholam 
Reza Jalali, indicated that the new center may be responsible not only for defensive 
cybersecurity, but also for offensive cyber attacks. 

How likely is it that this center will begin to coalesce the various hacking groups 
(such as the ICA) into a single entity controlled by the IRGC? What are the known 
priorities of the new Iranian Cyber Defense Center and how are they developing 
their cyber workforce? 

Answer. Such organization is a real possibility. To the extent that the Iranian re- 
gime would see benefit to uniting various hacker groups and exerting even greater 
control over their activities, a “consortium” may be tbe logical end-result. Such a 
grouping would, by its nature, lend itself most closely to the activities and direction 
of the IRGC. 

Question 2b. Iran’s leaders have made concerted efforts to develop friendships 
with other foreign leaders antagonistic to the United States. What is the likelihood 
that foreign countries such as Cuba, Venezuela, North Korea, and others, might col- 
laborate with Iran in developing cyber warfare capabilities? 



46 


Answer. Such collusion is already taking place, at least on a low level. A docu- 
mentary by the Spanish-language television channel Univision late last year ex- 
posed efforts by the former Venezuelan consul to Miami, Livia Antonieta Acosta 
Noguera, to recruit hackers for attacks on U.S. targets — an initiative that was car- 
ried out at least partly with Iranian assistance. The incident suggests that Iran’s 
efforts to find common cause with anti-American regimes (including in the Amer- 
icas) extend to the cyber realm — and that Tehran and its allies are actively contem- 
plating cyber attacks on targets within the U.S. homeland. 

Questions From Chairman Michael T. McCaul for Roger Caslow 

Question la. Although Iran is the world’s largest state sponsor of terrorism, it is 
difficult to fully assess Iran’s ability to carry out attacks on-line. However, over the 
last 5 years it has become increasingly clear that Iran’s cyber capabilities are be- 
coming more sophisticated and rank among the best in the world. 

How likely is it that Iran’s leaders would collaborate and/or fund their developing 
cyber capabilities with foreign states like North Korea that are antagonistic to the 
United States, or pass on offensive cyber capabilities to terrorist proxies like 
Hezbollah? 

Question lb. A hacker group identified as the Iranian Cyber Army (ICA) has re- 
ceived credit for a number of hacking incidents over the last few years. According 
to reports, the Iranian Cyber Army has used social engineering techniques to obtain 
control over internet domains and disrupt the political opposition in Iran. 

What is the command-and-control relationship between the Iranian Revolutionary 
Guards Corps and this Iranian Cyber Army? 

How does the Iranian Cyber Army fund, train, and recruit hackers? 

Answer. The likelihood of the nation-states collaborating could be measured by 
the current analysis available through the intelligence community assessments on 
proliferation. While most counter-proliferation has been focused on CBRNE efforts 
this could be used as a gauge for overall technology transfer. With respect to the 
non-state actors such as Hezbollah, the best litmus for this may reside in HUMINT 
reporting. Computer network attack capabilities are for the most part known, within 
one circle or another. To gain a better understanding of these I would highly rec- 
ommend that further discussions, behind closed doors, be had with organizations 
such as the Open Information Security Foundation. 

I have no unclassified knowledge of the command-and-control, funding, training, 
or recruiting for the Iranian Cyber Army. 

I wish that I could be of more assistance but given that I still maintain a TS/ 
SCI I am reluctant to discuss any of these issues via this media. 

Question 2a. The Iranian government recently held a conference in Tehran an- 
nouncing the creation of the Iranian Cyber Defense Center within their military 
forces. The head of Iran’s Passive Defense Organization, Brigadier General Gholam 
Reza Jalali, indicated that the new center may be responsible not only for defensive 
cybersecurity, but also for offensive cyber attacks. 

How likely is it that this center will begin to coalesce the various hacking groups 
(such as the ICA) into a single entity controlled by the IRGC? What are the known 
priorities of the new Iranian Cyber Defense Center and how are they developing 
their cyber workforce? 

Question 2b. Iran’s leaders have made concerted efforts to develop friendships 
with other foreign leaders antagonistic to the United States. What is the likelihood 
that foreign countries such as Cuba, Venezuela, North Korea, and others, might col- 
laborate with Iran in developing cyber warfare capabilities? 

Answer. Response was not received at the time of publication. 
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